Alpine Linux - User contributions [en]

Custom Kernel

2025-12-30T09:52:52Z

Pawciobiel: rephrase configuration

{{Draft}}

This process of building a '''custom configured kernel''' assumes you are running on Alpine Linux utilizing abuild & aports.

== But why? ==

You want to build a custom kernel to enable experimental hardware or features or outdated hardware, to reduce bloat further, to tune the kernel to the hardware.

The lts kernel for most Alpine ARCHs uses defaults to balance throughput at the expense of some responsiveness, and support for many devices. You can tweak the kernel for desktop use and low latency and responsiveness.

You should disable modules to increase security. By default, Alpine will install modules but not disable most of them. Disabling modules will reduce an DMA attack but not eliminate it completely. If you have a newer processor with VT-d, you can mitigate as long as you:

Leave <code>CONFIG_INTEL_IOMMU_DEFAULT_ON=y</code> or pass <code>intel_iommu=on</code> as a kernel parameter and disable kernel logging so the attacker doesn't gain DMAR address information through dmesg.[https://blog.frizk.net/2016/11/disable-virtualization-based-security.html] Also remove references to the kernel version to calculate the IOMMU addresses.[https://link.springer.com/content/pdf/10.1186/s13173-017-0066-7.pdf]

You may also want to harden your kernel by adding at least some of the config changes recommended by <code>kernel-hardening-checker</code> [https://github.com/a13xp0p0v/kernel-hardening-checker/]

To increase the security of the boot process, if you have a TPM, you could set <code>CONFIG_INTEL_TXT=y</code> (Enable Intel(R) Trusted Execution Technology (Intel(R) TXT)) (which is not enabled in the hardened kernel by default), then you would need the SINIT module (provided only by Intel)[https://software.intel.com/en-us/articles/intel-trusted-execution-technology], a possibly compiled TrustedGrub2[https://github.com/Rohde-Schwarz-Cybersecurity/TrustedGRUB2], trousers[https://sourceforge.net/projects/trousers/?source=navbar], tboot[https://sourceforge.net/projects/tboot/]. These packages are not in aports and it is unknown if these tools work on musl. It's not recommended for Edge. Also, there would be trigger packages to generate hashes for the kernel and the mkinitfs updates.

== Setting up the Alpine Build System ==

First, you need to follow the steps in [[Creating_an_Alpine_package#Setup_your_system_and_account|Setup your system and account for building packages]]. You also need to configure your {{path|/etc/apk/repositories}} so that they search locally for your apks. See [[Creating_an_Alpine_package#Testing_the_package_locally|Testing the package locally]] for details.

After setting up accounts and repos, change your shell's current working directory to '''aports''' that you just cloned.

{{cmd|$ cd aports}}

== Working with aports ==

We will try using an existing lts kernel just tweaking the {{path|lts.ARCH.config}} file.

=== Switching to the proper release version ===

You need to switch to the proper branch that matches the release so that the kernel compiles against the dependencies properly.

{| cellpadding="5" border="1" class="wikitable"
|-
! Alpine version
! Remote branch
|-
| Edge
| master
|-
| 3.23.0
| 3.23-stable
|-
|}

The following is required to get access to the {{path|APKBUILD}} released for that version of Alpine and which you will create a commit for.

If you are on 3.23 do:

{{cmd|$ git checkout -b 3.23-stable origin/3.23-stable}}

If you are on Edge do:

{{cmd|$ git checkout master}}

=== Creating your config ===

You can use {{pkg|linux-lts}} but what you should do is create a local branch by doing:

For Alpine 3.23 (linux-lts - 6.18):

{{cmd|$ git checkout -b my-custom-kernel origin/3.23-stable}}

For Alpine Edge:

{{cmd|$ git checkout -b my-custom-kernel}}

Doing it this way, you do less work in maintaining. All you need to do is keep ''master'' or ''3.23-stable'' in sync[https://help.github.com/articles/syncing-a-fork/][https://help.github.com/articles/configuring-a-remote-for-a-fork/] and merge any conflicts.

First switch to the branch by doing
<code>git checkout my-custom-kernel</code>.
Then, you need to navigate to the {{path|main/linux-lts}} folder where you should see a APKBUILD and some config- files.

It is a good idea to use custom `FLAVOR` in order to change the name of your kernel and package (custom flavor or revision) so you newly build kernel will not override the existing linux-lts and it's modules. Flavor build will only use your config and omit files that are not for your cpu architectures or virt* configs.(Virt configs provide optimized kernel configurations for running Alpine as a guest in virtual machines.)
This will also speed up the process of applying kernel patches by applying it for your architecture only. (Obviously ARCH in the following example is whatever architecture x86, x86_64...you use.)

First make a copy of your ARCH config file:
<pre>
cp lts.x86_64.config lts-my_custom.x86_64.config
</pre>

Edit your custom config file and add your changes. When you are done with your edits you need to run checksum to update APKBUILD:

<code>FLAVOR=lts-my_custom abuild checksum</code>

Then commit your changes:

<code>git commit -a -m "Enabled these options ...."</code>

You do this so that git can keep your code separate from Alpine's and so your changes float forward between kernel updates.

== Adding custom patches ==

Custom patches should be added to ''sources=''.

After you added the URL, you need to produce a checksum by doing <code>abuild checksum</code>.

The custom patches may not be autopatched, due to being distributed as an archive or different patch level, so you need to define what to do with it in the prepare().

== Configuring kernel ==

There are multiple ways to prepare and change kernel config. The basic one is to just edit your custom config file. You can also attempt to create a config tailored for your currently running system and modules.

To create a kernel config based on your currently running PC, use:
<pre>
make localmodconfig
</pre>
This command reads your current kernel's configuration from /proc/config.gz (if available) or /boot/config-* and creates a .config file that includes only the modules currently loaded on your system. This results in a minimal configuration tailored to your hardware.
Alternatively, you can use:
<pre>make localyesconfig</pre>
This is similar to ''localmodconfig'', but instead of building features as modules (m), it builds them directly into the kernel (y), which can result in a larger kernel image but eliminates the need for separate module files.
Note: Before running either command, make sure you have all the hardware you want to support actively in use (USB devices plugged in, network cards active, etc.) so their modules are loaded and included in the configuration.

The alternative is to use the kernel configuration menu in the build-NAME folder, but before you do that you need to <code>sudo apk add {{pkg|ncurses-dev}}</code>

After you are done using the menu in the build-NAME folder by doing:

<pre>make menuconfig</pre>

You want to remove <code>ncurses-dev</code>. When you are done, it will be stored in ''.config'' which you need to again override the {{path|lts.ARCH.config}} file.

When you are done updating the {{path|config-NAME.ARCH}}, you need to update sums:
<pre>
abuild checksum
</pre>

The options in the kernel config are typically defaults. If your device is old, it may be set to n by default.

=== Vanilla targets and tuning ===

{|cellpadding="5" border="1" class="wikitable"
!ARCH
!Processor Type / CPU Selection / System Type
!Code Generation / Instruction Extensions
!Timer Frequency
!Preemption Model
!Bitness
|-
|s390x
|IBM zEnterprise 114 and 196
|IBM zBC12 and zEC12 (<code>-march=zEC12 -mtune=zEC12</code>)
|1000 Hz
|No Forced Preemption (Server)
|64
|-
|ppc64le
|Server processors
|POWER8 (<code>-mcpu=power8</code>), AltiVec (<code>-Wa,-maltivec</code> to assembler or <code>-maltivec -mabi=altivec</code>), VSX
|1000 HZ
|No Forced Preemption (Server)
|64
|-
|ppc
|
512x/52xx/6xx/7xx/74xx/82xx/83xx/86xx
* Apple PowerMac based machines
|AltiVec (<code>-Wa,-maltivec</code> to assembler or <code>-maltivec -mabi=altivec</code>) on >=74xx
|1000 HZ
|No Forced Preemption (Server)
|32
|-
|x86_64
|Generic-x86-64
|(-mtune=generic ; SIMD assembly modules enabled based on simple compile test and/or presence of CPU flag)
|1000 HZ
|Voluntary Kernel Preemption (Desktop)
|64
|-
|x86
|586/K5/5x86/6x86/6x86MX
|(-mtune=generic ; SIMD assembly modules enabled based on simple compile test and/or presence of CPU flag)
|1000 HZ
|Voluntary Kernel Preemption (Desktop)
|32
|-
|armv7
|
* ARMv7 based platforms (Cortex-A, PJ4, Scorpion, Krait)
* Freescale i.MX family -- Cortex A (i.MX51, i.MX53, i.MX6 Quad/DualLite, i.MX6 SoloLite, i.MX6 SoloX, i.MX6 UltraLite, i.MX7 Dual)
* Qualcomm -- (MSM8X60, MSM8960, MSM8974)
* Allwinner SoCs -- (A10 (sun4i), A10s / A13 (sun5i), A31 (sun6i), A20 (sun7i), sun8i Family, (sun9i))
* ARM Ldt Versatile Express family --
|Either <code>-march=armv7-a</code> or <code>-march=armv5t -Wa,-march=armv7-a</code> based on a compile test. <code>-mfpu=vfp</code>
|1000 Hz
|Voluntary Kernel Preemption (Desktop)
|32
|-
|aarch64
|
* Allwinner sunxi 64-bit SoC Family
* Broadcom BCM2835 family
* Marvell Berlin SoC Family
* ARMv8 based Samsung Exynos SoC family
* ARMv8 based Freescale Layerscape SoC family
* Hisilicon SoC Family
* Mediatek MT65xx & MT81xx ARMv8 SoC
* Marvell EBU SoC Family
* Qualcomm Platforms
* Rockchip Platforms
* AMD Seattle SoC Family
* Altera's Stratix 10 SoCFPGA Family
* NVIDIA Tegra SoC Family
* Spreadtrum SoC platform
* Cavium Inc. Thunder SoC Family
* ARMv8 software model (Versatile Express)
* AppliedMicro X-Gene SOC Family
* Xilinx ZynqMP Family
|
|1000 HZ
|Voluntary Kernel Preemption (Desktop)
|64
|-
|}
If you do desktop multitasking, you may want to switch to Voluntary Kernel Preemption (Desktop) or Preemptible Kernel (Low-Latency Desktop) and up the Timer Frequency. If you run a dedicated render farm node or a dedicated bitcoin miner use No Forced Preemption (Server) and decrease the Timer Frequency.

Optimized modules (most are already compiled as modules):
* raid6 -- altivec, avx512, ssse3, avx2, mmx, sse, sse2, neon
* some operations of raid5 -- mmx (32 bit), sse (64 bit), avx
For Kernel API:
* 32-bit memcpy -- 3dnow
* 32-bit memory page clearing and copying -- sse (Athlon/K7 only), mmx
From x86/crypto, arm/crypto, powerpc/crypto:
* CAMELLIA -- avx2, avx, aes-ni
* CHACHA20 -- avx2, neon
* CAST5 -- avx
* CAST6 -- avx
* TWOFISH -- avx
* SERPENT -- avx2, avx, sse2
* SHA1 -- avx2, ssse3, neon, spe
* SHA2 -- avx2
* SHA256 -- ssse3, neon, spe
* SHA512 -- avx2, ssse3, neon
* POLY1305 -- avx2
* GHASH -- pclmulqdq (part of aes-ni), vmx (power8)
* AES -- aes-ni, neon, vmx (power8), spe
* CRC32 -- pclmulqdq, sse, neon, vmx (power8)
* CRCT10DIF -- pclmulqdq, sse, neon, vmx (power8)

=== Fast reboots with kexec ===
{{main|kexec}}

If you want to reboot the kernel fast avoiding the POST test, you need {{ic|doas apk add {{pkg|kexec-tools}}}} and enable kexec in the kernel:

Processor type and features
[*] kexec system call

=== Hibernation to prevent data loss ===

Power management and ACPI options
[*] Hibernation (aka 'suspend to disk')

Hibernation should be used if you have a laptop. You don't want the laptop to suddenly shut off resulting in data loss, you want it to save your work based on a percentage of battery life (this requires special script). When hibernation resumes, should lock and ask for credentials. Depending on your needs, the hibernated image can be encrypted/decrypted which again requires additional customization to scripts.

Hibernation with an unsanitized swap file is generally insecure because data and unlocked memory pages are swapped out in plaintext. To increase the security either disable swap or use an encrypted swap. The swap file/partition is typically used as the hibernation resume image.

== Building ==

Before building, make sure you have ccache installed. This should reduce compile time on multiple builds.
You may also want to read up on compile flags - perhaps you want your build to be optimized for speed (or size which is the default).
Review <code>/etc/abuild.conf</code> and set:
<pre>
PACKAGER_PRIVKEY="/home/MY_USER_HERE/.abuild/my-email@mydomain.com-ID.rsa"
USE_CCACHE=1
</pre>
Please note that kernel build process may not use some of the settings you set in `abuild.conf` so in order to customize compiler or linker and/or it's flags you may need to edit APKBUILD.
If you have your config ready, first try building with:

<pre>
FLAVOR=lts-my_custom abuild -rK 2>&1 | tee build1.log
</pre>

This will install most of the dependencies and keep buildtime temp dirs and files (srcdir/pkgdir/deps).

If it complains about a dependency like {{pkg|elfutils-dev}} use <code>-rKd</code>.
Then, when it prompts for values for new found config options just hold enter till it starts compiling the kernel.
Unless you use <code>FLAVOR</code> or removed or commented out <code>virt.*.config</code> configs in APKBUILD there should be two sets one for -lts and the other for the -virt.
Just {{Key|Ctrl}}+{{Key|C}} out of the compilation process after
the second set so you can further customize the config.
Then you go into the {{path|src/linux-VER}} and edit the config file.
Copy the {{path|.config}} file overriding the {{path|lts.ARCH.config}} in the srcdir.

== Installing ==

If the build was successful the kernel packages are located in <code>~/packages/main/ARCH</code>
You probably already know how to install a package in your Alpine Linux...

== Testing ==

In case your new kernel may be missing a module and can't boot it is generally a good idea to keep the default <code>linux-lts</code> so make sure you have it installed... <code>apk add {{pkg|linux-lts}}</code>.

Normally during the installation using with ''apk'' there are tools that will update initramfs and a boot loader automatically for you. For easier debugging you may want to change boot loader config and remove <code>quiet</code> from linux command line in <code>/etc/default/grub</code> or <code>/etc/update-extlinux.conf</code>.
Or perhaps you want to change other kernel options in <code>/etc/mkinitfs/mkinitfs.conf</code> - please remember to generate initramfs and update your bootloader manually, eg:
<pre>
# mkinitfs
# grub-mkconfig -o /boot/grub/grub.cfg
</pre>

In case something goes wrong with a boot process it is also a good idea to have a bootable rescue Alpine USB ready.

Once you have the default lts kernel and rescue USB <code>reboot</code> the computer.

If you are curious about correctness testing, some kernel modules or components do preform self tests at the beginning of the boot process. The tools may have test suites that you run with the make command.

== See Also ==
* [[Kernels]]
* [https://wiki.archlinux.org/title/Kernel Archwiki Kernels]
* [https://wiki.gentoo.org/wiki/Kernel Gentoo Wiki Kernel]
* [https://wiki.gentoo.org/wiki/Kernel/Configuration Gentoo Wiki Kernel Configuration]
* [[How to build the Alpine Linux kernel]]
* [[Kernel_live_patching|Kernel Live Patching (KLP)]]

[[Category:Kernel]]

Custom Kernel

2025-12-30T09:46:48Z

Pawciobiel: rephrase testing description

{{Draft}}

This process of building a '''custom configured kernel''' assumes you are running on Alpine Linux utilizing abuild & aports.

== But why? ==

You want to build a custom kernel to enable experimental hardware or features or outdated hardware, to reduce bloat further, to tune the kernel to the hardware.

The lts kernel for most Alpine ARCHs uses defaults to balance throughput at the expense of some responsiveness, and support for many devices. You can tweak the kernel for desktop use and low latency and responsiveness.

You should disable modules to increase security. By default, Alpine will install modules but not disable most of them. Disabling modules will reduce an DMA attack but not eliminate it completely. If you have a newer processor with VT-d, you can mitigate as long as you:

Leave <code>CONFIG_INTEL_IOMMU_DEFAULT_ON=y</code> or pass <code>intel_iommu=on</code> as a kernel parameter and disable kernel logging so the attacker doesn't gain DMAR address information through dmesg.[https://blog.frizk.net/2016/11/disable-virtualization-based-security.html] Also remove references to the kernel version to calculate the IOMMU addresses.[https://link.springer.com/content/pdf/10.1186/s13173-017-0066-7.pdf]

You may also want to harden your kernel by adding at least some of the config changes recommended by <code>kernel-hardening-checker</code> [https://github.com/a13xp0p0v/kernel-hardening-checker/]

To increase the security of the boot process, if you have a TPM, you could set <code>CONFIG_INTEL_TXT=y</code> (Enable Intel(R) Trusted Execution Technology (Intel(R) TXT)) (which is not enabled in the hardened kernel by default), then you would need the SINIT module (provided only by Intel)[https://software.intel.com/en-us/articles/intel-trusted-execution-technology], a possibly compiled TrustedGrub2[https://github.com/Rohde-Schwarz-Cybersecurity/TrustedGRUB2], trousers[https://sourceforge.net/projects/trousers/?source=navbar], tboot[https://sourceforge.net/projects/tboot/]. These packages are not in aports and it is unknown if these tools work on musl. It's not recommended for Edge. Also, there would be trigger packages to generate hashes for the kernel and the mkinitfs updates.

== Setting up the Alpine Build System ==

First, you need to follow the steps in [[Creating_an_Alpine_package#Setup_your_system_and_account|Setup your system and account for building packages]]. You also need to configure your {{path|/etc/apk/repositories}} so that they search locally for your apks. See [[Creating_an_Alpine_package#Testing_the_package_locally|Testing the package locally]] for details.

After setting up accounts and repos, change your shell's current working directory to '''aports''' that you just cloned.

{{cmd|$ cd aports}}

== Working with aports ==

We will try using an existing lts kernel just tweaking the {{path|lts.ARCH.config}} file.

=== Switching to the proper release version ===

You need to switch to the proper branch that matches the release so that the kernel compiles against the dependencies properly.

{| cellpadding="5" border="1" class="wikitable"
|-
! Alpine version
! Remote branch
|-
| Edge
| master
|-
| 3.23.0
| 3.23-stable
|-
|}

The following is required to get access to the {{path|APKBUILD}} released for that version of Alpine and which you will create a commit for.

If you are on 3.23 do:

{{cmd|$ git checkout -b 3.23-stable origin/3.23-stable}}

If you are on Edge do:

{{cmd|$ git checkout master}}

=== Creating your config ===

You can use {{pkg|linux-lts}} but what you should do is create a local branch by doing:

For Alpine 3.23 (linux-lts - 6.18):

{{cmd|$ git checkout -b my-custom-kernel origin/3.23-stable}}

For Alpine Edge:

{{cmd|$ git checkout -b my-custom-kernel}}

Doing it this way, you do less work in maintaining. All you need to do is keep ''master'' or ''3.23-stable'' in sync[https://help.github.com/articles/syncing-a-fork/][https://help.github.com/articles/configuring-a-remote-for-a-fork/] and merge any conflicts.

First switch to the branch by doing
<code>git checkout my-custom-kernel</code>.
Then, you need to navigate to the {{path|main/linux-lts}} folder where you should see a APKBUILD and some config- files.

It is a good idea to use custom `FLAVOR` in order to change the name of your kernel and package (custom flavor or revision) so you newly build kernel will not override the existing linux-lts and it's modules. Flavor build will only use your config and omit files that are not for your cpu architectures or virt* configs.(Virt configs provide optimized kernel configurations for running Alpine as a guest in virtual machines.)
This will also speed up the process of applying kernel patches by applying it for your architecture only. (Obviously ARCH in the following example is whatever architecture x86, x86_64...you use.)

First make a copy of your ARCH config file:
<pre>
cp lts.x86_64.config lts-my_custom.x86_64.config
</pre>

Edit your custom config file and add your changes. When you are done with your edits you need to run checksum to update APKBUILD:

<code>FLAVOR=lts-my_custom abuild checksum</code>

Then commit your changes:

<code>git commit -a -m "Enabled these options ...."</code>

You do this so that git can keep your code separate from Alpine's and so your changes float forward between kernel updates.

== Adding custom patches ==

Custom patches should be added to ''sources=''.

After you added the URL, you need to produce a checksum by doing <code>abuild checksum</code>.

The custom patches may not be autopatched, due to being distributed as an archive or different patch level, so you need to define what to do with it in the prepare().

== Configuring kernel ==

Attempt to create a config for your currently running system and modules first.

To create a kernel config based on your currently running PC, use:
<code>make localmodconfig</code>
This command reads your current kernel's configuration from /proc/config.gz (if available) or /boot/config-* and creates a .config file that includes only the modules currently loaded on your system. This results in a minimal configuration tailored to your hardware.
Alternatively, you can use:
<code>make localyesconfig</code>
This is similar to ''localmodconfig'', but instead of building features as modules (m), it builds them directly into the kernel (y), which can result in a larger kernel image but eliminates the need for separate module files.
Note: Before running either command, make sure you have all the hardware you want to support actively in use (USB devices plugged in, network cards active, etc.) so their modules are loaded and included in the configuration.

The alternative is to use the kernel configuration menu in the build-NAME folder, but before you do that you need to <code>sudo apk add {{pkg|ncurses-dev}}</code>

After you are done using the menu in the build-NAME folder by doing <code>make menuconfig</code>, you want to remove <code>ncurses-dev</code>. When you are done, it will be stored in ''.config'' which you need to again override the {{path|lts.ARCH.config}} file. When you are done updating the {{path|config-NAME.ARCH}}, you need to do <code>abuild checksum</code>.

The options in the kernel config are typically defaults. If your device is old, it may be set to n by default.

=== Vanilla targets and tuning ===

{|cellpadding="5" border="1" class="wikitable"
!ARCH
!Processor Type / CPU Selection / System Type
!Code Generation / Instruction Extensions
!Timer Frequency
!Preemption Model
!Bitness
|-
|s390x
|IBM zEnterprise 114 and 196
|IBM zBC12 and zEC12 (<code>-march=zEC12 -mtune=zEC12</code>)
|1000 Hz
|No Forced Preemption (Server)
|64
|-
|ppc64le
|Server processors
|POWER8 (<code>-mcpu=power8</code>), AltiVec (<code>-Wa,-maltivec</code> to assembler or <code>-maltivec -mabi=altivec</code>), VSX
|1000 HZ
|No Forced Preemption (Server)
|64
|-
|ppc
|
512x/52xx/6xx/7xx/74xx/82xx/83xx/86xx
* Apple PowerMac based machines
|AltiVec (<code>-Wa,-maltivec</code> to assembler or <code>-maltivec -mabi=altivec</code>) on >=74xx
|1000 HZ
|No Forced Preemption (Server)
|32
|-
|x86_64
|Generic-x86-64
|(-mtune=generic ; SIMD assembly modules enabled based on simple compile test and/or presence of CPU flag)
|1000 HZ
|Voluntary Kernel Preemption (Desktop)
|64
|-
|x86
|586/K5/5x86/6x86/6x86MX
|(-mtune=generic ; SIMD assembly modules enabled based on simple compile test and/or presence of CPU flag)
|1000 HZ
|Voluntary Kernel Preemption (Desktop)
|32
|-
|armv7
|
* ARMv7 based platforms (Cortex-A, PJ4, Scorpion, Krait)
* Freescale i.MX family -- Cortex A (i.MX51, i.MX53, i.MX6 Quad/DualLite, i.MX6 SoloLite, i.MX6 SoloX, i.MX6 UltraLite, i.MX7 Dual)
* Qualcomm -- (MSM8X60, MSM8960, MSM8974)
* Allwinner SoCs -- (A10 (sun4i), A10s / A13 (sun5i), A31 (sun6i), A20 (sun7i), sun8i Family, (sun9i))
* ARM Ldt Versatile Express family --
|Either <code>-march=armv7-a</code> or <code>-march=armv5t -Wa,-march=armv7-a</code> based on a compile test. <code>-mfpu=vfp</code>
|1000 Hz
|Voluntary Kernel Preemption (Desktop)
|32
|-
|aarch64
|
* Allwinner sunxi 64-bit SoC Family
* Broadcom BCM2835 family
* Marvell Berlin SoC Family
* ARMv8 based Samsung Exynos SoC family
* ARMv8 based Freescale Layerscape SoC family
* Hisilicon SoC Family
* Mediatek MT65xx & MT81xx ARMv8 SoC
* Marvell EBU SoC Family
* Qualcomm Platforms
* Rockchip Platforms
* AMD Seattle SoC Family
* Altera's Stratix 10 SoCFPGA Family
* NVIDIA Tegra SoC Family
* Spreadtrum SoC platform
* Cavium Inc. Thunder SoC Family
* ARMv8 software model (Versatile Express)
* AppliedMicro X-Gene SOC Family
* Xilinx ZynqMP Family
|
|1000 HZ
|Voluntary Kernel Preemption (Desktop)
|64
|-
|}
If you do desktop multitasking, you may want to switch to Voluntary Kernel Preemption (Desktop) or Preemptible Kernel (Low-Latency Desktop) and up the Timer Frequency. If you run a dedicated render farm node or a dedicated bitcoin miner use No Forced Preemption (Server) and decrease the Timer Frequency.

Optimized modules (most are already compiled as modules):
* raid6 -- altivec, avx512, ssse3, avx2, mmx, sse, sse2, neon
* some operations of raid5 -- mmx (32 bit), sse (64 bit), avx
For Kernel API:
* 32-bit memcpy -- 3dnow
* 32-bit memory page clearing and copying -- sse (Athlon/K7 only), mmx
From x86/crypto, arm/crypto, powerpc/crypto:
* CAMELLIA -- avx2, avx, aes-ni
* CHACHA20 -- avx2, neon
* CAST5 -- avx
* CAST6 -- avx
* TWOFISH -- avx
* SERPENT -- avx2, avx, sse2
* SHA1 -- avx2, ssse3, neon, spe
* SHA2 -- avx2
* SHA256 -- ssse3, neon, spe
* SHA512 -- avx2, ssse3, neon
* POLY1305 -- avx2
* GHASH -- pclmulqdq (part of aes-ni), vmx (power8)
* AES -- aes-ni, neon, vmx (power8), spe
* CRC32 -- pclmulqdq, sse, neon, vmx (power8)
* CRCT10DIF -- pclmulqdq, sse, neon, vmx (power8)

=== Fast reboots with kexec ===
{{main|kexec}}

If you want to reboot the kernel fast avoiding the POST test, you need {{ic|doas apk add {{pkg|kexec-tools}}}} and enable kexec in the kernel:

Processor type and features
[*] kexec system call

=== Hibernation to prevent data loss ===

Power management and ACPI options
[*] Hibernation (aka 'suspend to disk')

Hibernation should be used if you have a laptop. You don't want the laptop to suddenly shut off resulting in data loss, you want it to save your work based on a percentage of battery life (this requires special script). When hibernation resumes, should lock and ask for credentials. Depending on your needs, the hibernated image can be encrypted/decrypted which again requires additional customization to scripts.

Hibernation with an unsanitized swap file is generally insecure because data and unlocked memory pages are swapped out in plaintext. To increase the security either disable swap or use an encrypted swap. The swap file/partition is typically used as the hibernation resume image.

== Building ==

Before building, make sure you have ccache installed. This should reduce compile time on multiple builds.
You may also want to read up on compile flags - perhaps you want your build to be optimized for speed (or size which is the default).
Review <code>/etc/abuild.conf</code> and set:
<pre>
PACKAGER_PRIVKEY="/home/MY_USER_HERE/.abuild/my-email@mydomain.com-ID.rsa"
USE_CCACHE=1
</pre>
Please note that kernel build process may not use some of the settings you set in `abuild.conf` so in order to customize compiler or linker and/or it's flags you may need to edit APKBUILD.
If you have your config ready, first try building with:

<pre>
FLAVOR=lts-my_custom abuild -rK 2>&1 | tee build1.log
</pre>

This will install most of the dependencies and keep buildtime temp dirs and files (srcdir/pkgdir/deps).

If it complains about a dependency like {{pkg|elfutils-dev}} use <code>-rKd</code>.
Then, when it prompts for values for new found config options just hold enter till it starts compiling the kernel.
Unless you use <code>FLAVOR</code> or removed or commented out <code>virt.*.config</code> configs in APKBUILD there should be two sets one for -lts and the other for the -virt.
Just {{Key|Ctrl}}+{{Key|C}} out of the compilation process after
the second set so you can further customize the config.
Then you go into the {{path|src/linux-VER}} and edit the config file.
Copy the {{path|.config}} file overriding the {{path|lts.ARCH.config}} in the srcdir.

== Installing ==

If the build was successful the kernel packages are located in <code>~/packages/main/ARCH</code>
You probably already know how to install a package in your Alpine Linux...

== Testing ==

In case your new kernel may be missing a module and can't boot it is generally a good idea to keep the default <code>linux-lts</code> so make sure you have it installed... <code>apk add {{pkg|linux-lts}}</code>.

Normally during the installation using with ''apk'' there are tools that will update initramfs and a boot loader automatically for you. For easier debugging you may want to change boot loader config and remove <code>quiet</code> from linux command line in <code>/etc/default/grub</code> or <code>/etc/update-extlinux.conf</code>.
Or perhaps you want to change other kernel options in <code>/etc/mkinitfs/mkinitfs.conf</code> - please remember to generate initramfs and update your bootloader manually, eg:
<pre>
# mkinitfs
# grub-mkconfig -o /boot/grub/grub.cfg
</pre>

In case something goes wrong with a boot process it is also a good idea to have a bootable rescue Alpine USB ready.

Once you have the default lts kernel and rescue USB <code>reboot</code> the computer.

If you are curious about correctness testing, some kernel modules or components do preform self tests at the beginning of the boot process. The tools may have test suites that you run with the make command.

== See Also ==
* [[Kernels]]
* [https://wiki.archlinux.org/title/Kernel Archwiki Kernels]
* [https://wiki.gentoo.org/wiki/Kernel Gentoo Wiki Kernel]
* [https://wiki.gentoo.org/wiki/Kernel/Configuration Gentoo Wiki Kernel Configuration]
* [[How to build the Alpine Linux kernel]]
* [[Kernel_live_patching|Kernel Live Patching (KLP)]]

[[Category:Kernel]]

Custom Kernel

2025-12-30T09:38:00Z

Pawciobiel: Updated installing

{{Draft}}

This process of building a '''custom configured kernel''' assumes you are running on Alpine Linux utilizing abuild & aports.

== But why? ==

You want to build a custom kernel to enable experimental hardware or features or outdated hardware, to reduce bloat further, to tune the kernel to the hardware.

The lts kernel for most Alpine ARCHs uses defaults to balance throughput at the expense of some responsiveness, and support for many devices. You can tweak the kernel for desktop use and low latency and responsiveness.

You should disable modules to increase security. By default, Alpine will install modules but not disable most of them. Disabling modules will reduce an DMA attack but not eliminate it completely. If you have a newer processor with VT-d, you can mitigate as long as you:

Leave <code>CONFIG_INTEL_IOMMU_DEFAULT_ON=y</code> or pass <code>intel_iommu=on</code> as a kernel parameter and disable kernel logging so the attacker doesn't gain DMAR address information through dmesg.[https://blog.frizk.net/2016/11/disable-virtualization-based-security.html] Also remove references to the kernel version to calculate the IOMMU addresses.[https://link.springer.com/content/pdf/10.1186/s13173-017-0066-7.pdf]

You may also want to harden your kernel by adding at least some of the config changes recommended by <code>kernel-hardening-checker</code> [https://github.com/a13xp0p0v/kernel-hardening-checker/]

To increase the security of the boot process, if you have a TPM, you could set <code>CONFIG_INTEL_TXT=y</code> (Enable Intel(R) Trusted Execution Technology (Intel(R) TXT)) (which is not enabled in the hardened kernel by default), then you would need the SINIT module (provided only by Intel)[https://software.intel.com/en-us/articles/intel-trusted-execution-technology], a possibly compiled TrustedGrub2[https://github.com/Rohde-Schwarz-Cybersecurity/TrustedGRUB2], trousers[https://sourceforge.net/projects/trousers/?source=navbar], tboot[https://sourceforge.net/projects/tboot/]. These packages are not in aports and it is unknown if these tools work on musl. It's not recommended for Edge. Also, there would be trigger packages to generate hashes for the kernel and the mkinitfs updates.

== Setting up the Alpine Build System ==

First, you need to follow the steps in [[Creating_an_Alpine_package#Setup_your_system_and_account|Setup your system and account for building packages]]. You also need to configure your {{path|/etc/apk/repositories}} so that they search locally for your apks. See [[Creating_an_Alpine_package#Testing_the_package_locally|Testing the package locally]] for details.

After setting up accounts and repos, change your shell's current working directory to '''aports''' that you just cloned.

{{cmd|$ cd aports}}

== Working with aports ==

We will try using an existing lts kernel just tweaking the {{path|lts.ARCH.config}} file.

=== Switching to the proper release version ===

You need to switch to the proper branch that matches the release so that the kernel compiles against the dependencies properly.

{| cellpadding="5" border="1" class="wikitable"
|-
! Alpine version
! Remote branch
|-
| Edge
| master
|-
| 3.23.0
| 3.23-stable
|-
|}

The following is required to get access to the {{path|APKBUILD}} released for that version of Alpine and which you will create a commit for.

If you are on 3.23 do:

{{cmd|$ git checkout -b 3.23-stable origin/3.23-stable}}

If you are on Edge do:

{{cmd|$ git checkout master}}

=== Creating your config ===

You can use {{pkg|linux-lts}} but what you should do is create a local branch by doing:

For Alpine 3.23 (linux-lts - 6.18):

{{cmd|$ git checkout -b my-custom-kernel origin/3.23-stable}}

For Alpine Edge:

{{cmd|$ git checkout -b my-custom-kernel}}

Doing it this way, you do less work in maintaining. All you need to do is keep ''master'' or ''3.23-stable'' in sync[https://help.github.com/articles/syncing-a-fork/][https://help.github.com/articles/configuring-a-remote-for-a-fork/] and merge any conflicts.

First switch to the branch by doing
<code>git checkout my-custom-kernel</code>.
Then, you need to navigate to the {{path|main/linux-lts}} folder where you should see a APKBUILD and some config- files.

It is a good idea to use custom `FLAVOR` in order to change the name of your kernel and package (custom flavor or revision) so you newly build kernel will not override the existing linux-lts and it's modules. Flavor build will only use your config and omit files that are not for your cpu architectures or virt* configs.(Virt configs provide optimized kernel configurations for running Alpine as a guest in virtual machines.)
This will also speed up the process of applying kernel patches by applying it for your architecture only. (Obviously ARCH in the following example is whatever architecture x86, x86_64...you use.)

First make a copy of your ARCH config file:
<pre>
cp lts.x86_64.config lts-my_custom.x86_64.config
</pre>

Edit your custom config file and add your changes. When you are done with your edits you need to run checksum to update APKBUILD:

<code>FLAVOR=lts-my_custom abuild checksum</code>

Then commit your changes:

<code>git commit -a -m "Enabled these options ...."</code>

You do this so that git can keep your code separate from Alpine's and so your changes float forward between kernel updates.

== Adding custom patches ==

Custom patches should be added to ''sources=''.

After you added the URL, you need to produce a checksum by doing <code>abuild checksum</code>.

The custom patches may not be autopatched, due to being distributed as an archive or different patch level, so you need to define what to do with it in the prepare().

== Configuring kernel ==

Attempt to create a config for your currently running system and modules first.

To create a kernel config based on your currently running PC, use:
<code>make localmodconfig</code>
This command reads your current kernel's configuration from /proc/config.gz (if available) or /boot/config-* and creates a .config file that includes only the modules currently loaded on your system. This results in a minimal configuration tailored to your hardware.
Alternatively, you can use:
<code>make localyesconfig</code>
This is similar to ''localmodconfig'', but instead of building features as modules (m), it builds them directly into the kernel (y), which can result in a larger kernel image but eliminates the need for separate module files.
Note: Before running either command, make sure you have all the hardware you want to support actively in use (USB devices plugged in, network cards active, etc.) so their modules are loaded and included in the configuration.

The alternative is to use the kernel configuration menu in the build-NAME folder, but before you do that you need to <code>sudo apk add {{pkg|ncurses-dev}}</code>

After you are done using the menu in the build-NAME folder by doing <code>make menuconfig</code>, you want to remove <code>ncurses-dev</code>. When you are done, it will be stored in ''.config'' which you need to again override the {{path|lts.ARCH.config}} file. When you are done updating the {{path|config-NAME.ARCH}}, you need to do <code>abuild checksum</code>.

The options in the kernel config are typically defaults. If your device is old, it may be set to n by default.

=== Vanilla targets and tuning ===

{|cellpadding="5" border="1" class="wikitable"
!ARCH
!Processor Type / CPU Selection / System Type
!Code Generation / Instruction Extensions
!Timer Frequency
!Preemption Model
!Bitness
|-
|s390x
|IBM zEnterprise 114 and 196
|IBM zBC12 and zEC12 (<code>-march=zEC12 -mtune=zEC12</code>)
|1000 Hz
|No Forced Preemption (Server)
|64
|-
|ppc64le
|Server processors
|POWER8 (<code>-mcpu=power8</code>), AltiVec (<code>-Wa,-maltivec</code> to assembler or <code>-maltivec -mabi=altivec</code>), VSX
|1000 HZ
|No Forced Preemption (Server)
|64
|-
|ppc
|
512x/52xx/6xx/7xx/74xx/82xx/83xx/86xx
* Apple PowerMac based machines
|AltiVec (<code>-Wa,-maltivec</code> to assembler or <code>-maltivec -mabi=altivec</code>) on >=74xx
|1000 HZ
|No Forced Preemption (Server)
|32
|-
|x86_64
|Generic-x86-64
|(-mtune=generic ; SIMD assembly modules enabled based on simple compile test and/or presence of CPU flag)
|1000 HZ
|Voluntary Kernel Preemption (Desktop)
|64
|-
|x86
|586/K5/5x86/6x86/6x86MX
|(-mtune=generic ; SIMD assembly modules enabled based on simple compile test and/or presence of CPU flag)
|1000 HZ
|Voluntary Kernel Preemption (Desktop)
|32
|-
|armv7
|
* ARMv7 based platforms (Cortex-A, PJ4, Scorpion, Krait)
* Freescale i.MX family -- Cortex A (i.MX51, i.MX53, i.MX6 Quad/DualLite, i.MX6 SoloLite, i.MX6 SoloX, i.MX6 UltraLite, i.MX7 Dual)
* Qualcomm -- (MSM8X60, MSM8960, MSM8974)
* Allwinner SoCs -- (A10 (sun4i), A10s / A13 (sun5i), A31 (sun6i), A20 (sun7i), sun8i Family, (sun9i))
* ARM Ldt Versatile Express family --
|Either <code>-march=armv7-a</code> or <code>-march=armv5t -Wa,-march=armv7-a</code> based on a compile test. <code>-mfpu=vfp</code>
|1000 Hz
|Voluntary Kernel Preemption (Desktop)
|32
|-
|aarch64
|
* Allwinner sunxi 64-bit SoC Family
* Broadcom BCM2835 family
* Marvell Berlin SoC Family
* ARMv8 based Samsung Exynos SoC family
* ARMv8 based Freescale Layerscape SoC family
* Hisilicon SoC Family
* Mediatek MT65xx & MT81xx ARMv8 SoC
* Marvell EBU SoC Family
* Qualcomm Platforms
* Rockchip Platforms
* AMD Seattle SoC Family
* Altera's Stratix 10 SoCFPGA Family
* NVIDIA Tegra SoC Family
* Spreadtrum SoC platform
* Cavium Inc. Thunder SoC Family
* ARMv8 software model (Versatile Express)
* AppliedMicro X-Gene SOC Family
* Xilinx ZynqMP Family
|
|1000 HZ
|Voluntary Kernel Preemption (Desktop)
|64
|-
|}
If you do desktop multitasking, you may want to switch to Voluntary Kernel Preemption (Desktop) or Preemptible Kernel (Low-Latency Desktop) and up the Timer Frequency. If you run a dedicated render farm node or a dedicated bitcoin miner use No Forced Preemption (Server) and decrease the Timer Frequency.

Optimized modules (most are already compiled as modules):
* raid6 -- altivec, avx512, ssse3, avx2, mmx, sse, sse2, neon
* some operations of raid5 -- mmx (32 bit), sse (64 bit), avx
For Kernel API:
* 32-bit memcpy -- 3dnow
* 32-bit memory page clearing and copying -- sse (Athlon/K7 only), mmx
From x86/crypto, arm/crypto, powerpc/crypto:
* CAMELLIA -- avx2, avx, aes-ni
* CHACHA20 -- avx2, neon
* CAST5 -- avx
* CAST6 -- avx
* TWOFISH -- avx
* SERPENT -- avx2, avx, sse2
* SHA1 -- avx2, ssse3, neon, spe
* SHA2 -- avx2
* SHA256 -- ssse3, neon, spe
* SHA512 -- avx2, ssse3, neon
* POLY1305 -- avx2
* GHASH -- pclmulqdq (part of aes-ni), vmx (power8)
* AES -- aes-ni, neon, vmx (power8), spe
* CRC32 -- pclmulqdq, sse, neon, vmx (power8)
* CRCT10DIF -- pclmulqdq, sse, neon, vmx (power8)

=== Fast reboots with kexec ===
{{main|kexec}}

If you want to reboot the kernel fast avoiding the POST test, you need {{ic|doas apk add {{pkg|kexec-tools}}}} and enable kexec in the kernel:

Processor type and features
[*] kexec system call

=== Hibernation to prevent data loss ===

Power management and ACPI options
[*] Hibernation (aka 'suspend to disk')

Hibernation should be used if you have a laptop. You don't want the laptop to suddenly shut off resulting in data loss, you want it to save your work based on a percentage of battery life (this requires special script). When hibernation resumes, should lock and ask for credentials. Depending on your needs, the hibernated image can be encrypted/decrypted which again requires additional customization to scripts.

Hibernation with an unsanitized swap file is generally insecure because data and unlocked memory pages are swapped out in plaintext. To increase the security either disable swap or use an encrypted swap. The swap file/partition is typically used as the hibernation resume image.

== Building ==

Before building, make sure you have ccache installed. This should reduce compile time on multiple builds.
You may also want to read up on compile flags - perhaps you want your build to be optimized for speed (or size which is the default).
Review <code>/etc/abuild.conf</code> and set:
<pre>
PACKAGER_PRIVKEY="/home/MY_USER_HERE/.abuild/my-email@mydomain.com-ID.rsa"
USE_CCACHE=1
</pre>
Please note that kernel build process may not use some of the settings you set in `abuild.conf` so in order to customize compiler or linker and/or it's flags you may need to edit APKBUILD.
If you have your config ready, first try building with:

<pre>
FLAVOR=lts-my_custom abuild -rK 2>&1 | tee build1.log
</pre>

This will install most of the dependencies and keep buildtime temp dirs and files (srcdir/pkgdir/deps).

If it complains about a dependency like {{pkg|elfutils-dev}} use <code>-rKd</code>.
Then, when it prompts for values for new found config options just hold enter till it starts compiling the kernel.
Unless you use <code>FLAVOR</code> or removed or commented out <code>virt.*.config</code> configs in APKBUILD there should be two sets one for -lts and the other for the -virt.
Just {{Key|Ctrl}}+{{Key|C}} out of the compilation process after
the second set so you can further customize the config.
Then you go into the {{path|src/linux-VER}} and edit the config file.
Copy the {{path|.config}} file overriding the {{path|lts.ARCH.config}} in the srcdir.

== Installing ==

If the build was successful the kernel packages are located in <code>~/packages/main/ARCH</code>
You probably already know how to install a package in your Alpine Linux...

== Testing ==

Before you test, you should install the lts kernel too, using <code>apk add {{pkg|linux-lts}}</code>. You may be missing a module and can't boot, so you use the other kernel as the fallback boot kernel.

Normally during the installation using with ''apk'' there are tools that will update initramfs and a boot loader automatically for you. For easier debugging you may want to change boot loader config and remove <code>quiet</code> from linux command line in <code>/etc/default/grub</code> or <code>/etc/update-extlinux.conf</code>.
Or perhaps you want to change other kernel options in <code>/etc/mkinitfs/mkinitfs.conf</code> - please remember to generate initramfs and update your bootloader manually, eg:
<pre>
# mkinitfs
# grub-mkconfig -o /boot/grub/grub.cfg
</pre>

To test, first you should make a bootable Alpine USB image. Then, when you have your rescue USB done, you <code>reboot</code> the computer.

To test it, you basically do trial and error. Sometimes your config is missing something if you want to have a bare minimum setting.

If you are curious about correctness testing, some kernel modules or components do preform self tests at the beginning of the boot process. The tools may have test suites that you run with the make command.

== See Also ==
* [[Kernels]]
* [https://wiki.archlinux.org/title/Kernel Archwiki Kernels]
* [https://wiki.gentoo.org/wiki/Kernel Gentoo Wiki Kernel]
* [https://wiki.gentoo.org/wiki/Kernel/Configuration Gentoo Wiki Kernel Configuration]
* [[How to build the Alpine Linux kernel]]
* [[Kernel_live_patching|Kernel Live Patching (KLP)]]

[[Category:Kernel]]

Custom Kernel

2025-12-30T09:35:28Z

Pawciobiel: Update building with FLAVOR

{{Draft}}

This process of building a '''custom configured kernel''' assumes you are running on Alpine Linux utilizing abuild & aports.

== But why? ==

You want to build a custom kernel to enable experimental hardware or features or outdated hardware, to reduce bloat further, to tune the kernel to the hardware.

The lts kernel for most Alpine ARCHs uses defaults to balance throughput at the expense of some responsiveness, and support for many devices. You can tweak the kernel for desktop use and low latency and responsiveness.

You should disable modules to increase security. By default, Alpine will install modules but not disable most of them. Disabling modules will reduce an DMA attack but not eliminate it completely. If you have a newer processor with VT-d, you can mitigate as long as you:

Leave <code>CONFIG_INTEL_IOMMU_DEFAULT_ON=y</code> or pass <code>intel_iommu=on</code> as a kernel parameter and disable kernel logging so the attacker doesn't gain DMAR address information through dmesg.[https://blog.frizk.net/2016/11/disable-virtualization-based-security.html] Also remove references to the kernel version to calculate the IOMMU addresses.[https://link.springer.com/content/pdf/10.1186/s13173-017-0066-7.pdf]

You may also want to harden your kernel by adding at least some of the config changes recommended by <code>kernel-hardening-checker</code> [https://github.com/a13xp0p0v/kernel-hardening-checker/]

To increase the security of the boot process, if you have a TPM, you could set <code>CONFIG_INTEL_TXT=y</code> (Enable Intel(R) Trusted Execution Technology (Intel(R) TXT)) (which is not enabled in the hardened kernel by default), then you would need the SINIT module (provided only by Intel)[https://software.intel.com/en-us/articles/intel-trusted-execution-technology], a possibly compiled TrustedGrub2[https://github.com/Rohde-Schwarz-Cybersecurity/TrustedGRUB2], trousers[https://sourceforge.net/projects/trousers/?source=navbar], tboot[https://sourceforge.net/projects/tboot/]. These packages are not in aports and it is unknown if these tools work on musl. It's not recommended for Edge. Also, there would be trigger packages to generate hashes for the kernel and the mkinitfs updates.

== Setting up the Alpine Build System ==

First, you need to follow the steps in [[Creating_an_Alpine_package#Setup_your_system_and_account|Setup your system and account for building packages]]. You also need to configure your {{path|/etc/apk/repositories}} so that they search locally for your apks. See [[Creating_an_Alpine_package#Testing_the_package_locally|Testing the package locally]] for details.

After setting up accounts and repos, change your shell's current working directory to '''aports''' that you just cloned.

{{cmd|$ cd aports}}

== Working with aports ==

We will try using an existing lts kernel just tweaking the {{path|lts.ARCH.config}} file.

=== Switching to the proper release version ===

You need to switch to the proper branch that matches the release so that the kernel compiles against the dependencies properly.

{| cellpadding="5" border="1" class="wikitable"
|-
! Alpine version
! Remote branch
|-
| Edge
| master
|-
| 3.23.0
| 3.23-stable
|-
|}

The following is required to get access to the {{path|APKBUILD}} released for that version of Alpine and which you will create a commit for.

If you are on 3.23 do:

{{cmd|$ git checkout -b 3.23-stable origin/3.23-stable}}

If you are on Edge do:

{{cmd|$ git checkout master}}

=== Creating your config ===

You can use {{pkg|linux-lts}} but what you should do is create a local branch by doing:

For Alpine 3.23 (linux-lts - 6.18):

{{cmd|$ git checkout -b my-custom-kernel origin/3.23-stable}}

For Alpine Edge:

{{cmd|$ git checkout -b my-custom-kernel}}

Doing it this way, you do less work in maintaining. All you need to do is keep ''master'' or ''3.23-stable'' in sync[https://help.github.com/articles/syncing-a-fork/][https://help.github.com/articles/configuring-a-remote-for-a-fork/] and merge any conflicts.

First switch to the branch by doing
<code>git checkout my-custom-kernel</code>.
Then, you need to navigate to the {{path|main/linux-lts}} folder where you should see a APKBUILD and some config- files.

It is a good idea to use custom `FLAVOR` in order to change the name of your kernel and package (custom flavor or revision) so you newly build kernel will not override the existing linux-lts and it's modules. Flavor build will only use your config and omit files that are not for your cpu architectures or virt* configs.(Virt configs provide optimized kernel configurations for running Alpine as a guest in virtual machines.)
This will also speed up the process of applying kernel patches by applying it for your architecture only. (Obviously ARCH in the following example is whatever architecture x86, x86_64...you use.)

First make a copy of your ARCH config file:
<pre>
cp lts.x86_64.config lts-my_custom.x86_64.config
</pre>

Edit your custom config file and add your changes. When you are done with your edits you need to run checksum to update APKBUILD:

<code>FLAVOR=lts-my_custom abuild checksum</code>

Then commit your changes:

<code>git commit -a -m "Enabled these options ...."</code>

You do this so that git can keep your code separate from Alpine's and so your changes float forward between kernel updates.

== Adding custom patches ==

Custom patches should be added to ''sources=''.

After you added the URL, you need to produce a checksum by doing <code>abuild checksum</code>.

The custom patches may not be autopatched, due to being distributed as an archive or different patch level, so you need to define what to do with it in the prepare().

== Configuring kernel ==

Attempt to create a config for your currently running system and modules first.

To create a kernel config based on your currently running PC, use:
<code>make localmodconfig</code>
This command reads your current kernel's configuration from /proc/config.gz (if available) or /boot/config-* and creates a .config file that includes only the modules currently loaded on your system. This results in a minimal configuration tailored to your hardware.
Alternatively, you can use:
<code>make localyesconfig</code>
This is similar to ''localmodconfig'', but instead of building features as modules (m), it builds them directly into the kernel (y), which can result in a larger kernel image but eliminates the need for separate module files.
Note: Before running either command, make sure you have all the hardware you want to support actively in use (USB devices plugged in, network cards active, etc.) so their modules are loaded and included in the configuration.

The alternative is to use the kernel configuration menu in the build-NAME folder, but before you do that you need to <code>sudo apk add {{pkg|ncurses-dev}}</code>

After you are done using the menu in the build-NAME folder by doing <code>make menuconfig</code>, you want to remove <code>ncurses-dev</code>. When you are done, it will be stored in ''.config'' which you need to again override the {{path|lts.ARCH.config}} file. When you are done updating the {{path|config-NAME.ARCH}}, you need to do <code>abuild checksum</code>.

The options in the kernel config are typically defaults. If your device is old, it may be set to n by default.

=== Vanilla targets and tuning ===

{|cellpadding="5" border="1" class="wikitable"
!ARCH
!Processor Type / CPU Selection / System Type
!Code Generation / Instruction Extensions
!Timer Frequency
!Preemption Model
!Bitness
|-
|s390x
|IBM zEnterprise 114 and 196
|IBM zBC12 and zEC12 (<code>-march=zEC12 -mtune=zEC12</code>)
|1000 Hz
|No Forced Preemption (Server)
|64
|-
|ppc64le
|Server processors
|POWER8 (<code>-mcpu=power8</code>), AltiVec (<code>-Wa,-maltivec</code> to assembler or <code>-maltivec -mabi=altivec</code>), VSX
|1000 HZ
|No Forced Preemption (Server)
|64
|-
|ppc
|
512x/52xx/6xx/7xx/74xx/82xx/83xx/86xx
* Apple PowerMac based machines
|AltiVec (<code>-Wa,-maltivec</code> to assembler or <code>-maltivec -mabi=altivec</code>) on >=74xx
|1000 HZ
|No Forced Preemption (Server)
|32
|-
|x86_64
|Generic-x86-64
|(-mtune=generic ; SIMD assembly modules enabled based on simple compile test and/or presence of CPU flag)
|1000 HZ
|Voluntary Kernel Preemption (Desktop)
|64
|-
|x86
|586/K5/5x86/6x86/6x86MX
|(-mtune=generic ; SIMD assembly modules enabled based on simple compile test and/or presence of CPU flag)
|1000 HZ
|Voluntary Kernel Preemption (Desktop)
|32
|-
|armv7
|
* ARMv7 based platforms (Cortex-A, PJ4, Scorpion, Krait)
* Freescale i.MX family -- Cortex A (i.MX51, i.MX53, i.MX6 Quad/DualLite, i.MX6 SoloLite, i.MX6 SoloX, i.MX6 UltraLite, i.MX7 Dual)
* Qualcomm -- (MSM8X60, MSM8960, MSM8974)
* Allwinner SoCs -- (A10 (sun4i), A10s / A13 (sun5i), A31 (sun6i), A20 (sun7i), sun8i Family, (sun9i))
* ARM Ldt Versatile Express family --
|Either <code>-march=armv7-a</code> or <code>-march=armv5t -Wa,-march=armv7-a</code> based on a compile test. <code>-mfpu=vfp</code>
|1000 Hz
|Voluntary Kernel Preemption (Desktop)
|32
|-
|aarch64
|
* Allwinner sunxi 64-bit SoC Family
* Broadcom BCM2835 family
* Marvell Berlin SoC Family
* ARMv8 based Samsung Exynos SoC family
* ARMv8 based Freescale Layerscape SoC family
* Hisilicon SoC Family
* Mediatek MT65xx & MT81xx ARMv8 SoC
* Marvell EBU SoC Family
* Qualcomm Platforms
* Rockchip Platforms
* AMD Seattle SoC Family
* Altera's Stratix 10 SoCFPGA Family
* NVIDIA Tegra SoC Family
* Spreadtrum SoC platform
* Cavium Inc. Thunder SoC Family
* ARMv8 software model (Versatile Express)
* AppliedMicro X-Gene SOC Family
* Xilinx ZynqMP Family
|
|1000 HZ
|Voluntary Kernel Preemption (Desktop)
|64
|-
|}
If you do desktop multitasking, you may want to switch to Voluntary Kernel Preemption (Desktop) or Preemptible Kernel (Low-Latency Desktop) and up the Timer Frequency. If you run a dedicated render farm node or a dedicated bitcoin miner use No Forced Preemption (Server) and decrease the Timer Frequency.

Optimized modules (most are already compiled as modules):
* raid6 -- altivec, avx512, ssse3, avx2, mmx, sse, sse2, neon
* some operations of raid5 -- mmx (32 bit), sse (64 bit), avx
For Kernel API:
* 32-bit memcpy -- 3dnow
* 32-bit memory page clearing and copying -- sse (Athlon/K7 only), mmx
From x86/crypto, arm/crypto, powerpc/crypto:
* CAMELLIA -- avx2, avx, aes-ni
* CHACHA20 -- avx2, neon
* CAST5 -- avx
* CAST6 -- avx
* TWOFISH -- avx
* SERPENT -- avx2, avx, sse2
* SHA1 -- avx2, ssse3, neon, spe
* SHA2 -- avx2
* SHA256 -- ssse3, neon, spe
* SHA512 -- avx2, ssse3, neon
* POLY1305 -- avx2
* GHASH -- pclmulqdq (part of aes-ni), vmx (power8)
* AES -- aes-ni, neon, vmx (power8), spe
* CRC32 -- pclmulqdq, sse, neon, vmx (power8)
* CRCT10DIF -- pclmulqdq, sse, neon, vmx (power8)

=== Fast reboots with kexec ===
{{main|kexec}}

If you want to reboot the kernel fast avoiding the POST test, you need {{ic|doas apk add {{pkg|kexec-tools}}}} and enable kexec in the kernel:

Processor type and features
[*] kexec system call

=== Hibernation to prevent data loss ===

Power management and ACPI options
[*] Hibernation (aka 'suspend to disk')

Hibernation should be used if you have a laptop. You don't want the laptop to suddenly shut off resulting in data loss, you want it to save your work based on a percentage of battery life (this requires special script). When hibernation resumes, should lock and ask for credentials. Depending on your needs, the hibernated image can be encrypted/decrypted which again requires additional customization to scripts.

Hibernation with an unsanitized swap file is generally insecure because data and unlocked memory pages are swapped out in plaintext. To increase the security either disable swap or use an encrypted swap. The swap file/partition is typically used as the hibernation resume image.

== Building ==

Before building, make sure you have ccache installed. This should reduce compile time on multiple builds.
You may also want to read up on compile flags - perhaps you want your build to be optimized for speed (or size which is the default).
Review <code>/etc/abuild.conf</code> and set:
<pre>
PACKAGER_PRIVKEY="/home/MY_USER_HERE/.abuild/my-email@mydomain.com-ID.rsa"
USE_CCACHE=1
</pre>
Please note that kernel build process may not use some of the settings you set in `abuild.conf` so in order to customize compiler or linker and/or it's flags you may need to edit APKBUILD.
If you have your config ready, first try building with:

<pre>
FLAVOR=lts-my_custom abuild -rK 2>&1 | tee build1.log
</pre>

This will install most of the dependencies and keep buildtime temp dirs and files (srcdir/pkgdir/deps).

If it complains about a dependency like {{pkg|elfutils-dev}} use <code>-rKd</code>.
Then, when it prompts for values for new found config options just hold enter till it starts compiling the kernel.
Unless you use <code>FLAVOR</code> or removed or commented out <code>virt.*.config</code> configs in APKBUILD there should be two sets one for -lts and the other for the -virt.
Just {{Key|Ctrl}}+{{Key|C}} out of the compilation process after
the second set so you can further customize the config.
Then you go into the {{path|src/linux-VER}} and edit the config file.
Copy the {{path|.config}} file overriding the {{path|lts.ARCH.config}} in the srcdir.

== Installing ==

To install it you do a {{ic|doas apk add linux-NAME}} where NAME is your custom kernel name.

== Testing ==

Before you test, you should install the lts kernel too, using <code>apk add {{pkg|linux-lts}}</code>. You may be missing a module and can't boot, so you use the other kernel as the fallback boot kernel.

Normally during the installation using with ''apk'' there are tools that will update initramfs and a boot loader automatically for you. For easier debugging you may want to change boot loader config and remove <code>quiet</code> from linux command line in <code>/etc/default/grub</code> or <code>/etc/update-extlinux.conf</code>.
Or perhaps you want to change other kernel options in <code>/etc/mkinitfs/mkinitfs.conf</code> - please remember to generate initramfs and update your bootloader manually, eg:
<pre>
# mkinitfs
# grub-mkconfig -o /boot/grub/grub.cfg
</pre>

To test, first you should make a bootable Alpine USB image. Then, when you have your rescue USB done, you <code>reboot</code> the computer.

To test it, you basically do trial and error. Sometimes your config is missing something if you want to have a bare minimum setting.

If you are curious about correctness testing, some kernel modules or components do preform self tests at the beginning of the boot process. The tools may have test suites that you run with the make command.

== See Also ==
* [[Kernels]]
* [https://wiki.archlinux.org/title/Kernel Archwiki Kernels]
* [https://wiki.gentoo.org/wiki/Kernel Gentoo Wiki Kernel]
* [https://wiki.gentoo.org/wiki/Kernel/Configuration Gentoo Wiki Kernel Configuration]
* [[How to build the Alpine Linux kernel]]
* [[Kernel_live_patching|Kernel Live Patching (KLP)]]

[[Category:Kernel]]

Custom Kernel

2025-12-30T09:24:23Z

Pawciobiel: updated description with FLAVOR build

{{Draft}}

This process of building a '''custom configured kernel''' assumes you are running on Alpine Linux utilizing abuild & aports.

== But why? ==

You want to build a custom kernel to enable experimental hardware or features or outdated hardware, to reduce bloat further, to tune the kernel to the hardware.

The lts kernel for most Alpine ARCHs uses defaults to balance throughput at the expense of some responsiveness, and support for many devices. You can tweak the kernel for desktop use and low latency and responsiveness.

You should disable modules to increase security. By default, Alpine will install modules but not disable most of them. Disabling modules will reduce an DMA attack but not eliminate it completely. If you have a newer processor with VT-d, you can mitigate as long as you:

Leave <code>CONFIG_INTEL_IOMMU_DEFAULT_ON=y</code> or pass <code>intel_iommu=on</code> as a kernel parameter and disable kernel logging so the attacker doesn't gain DMAR address information through dmesg.[https://blog.frizk.net/2016/11/disable-virtualization-based-security.html] Also remove references to the kernel version to calculate the IOMMU addresses.[https://link.springer.com/content/pdf/10.1186/s13173-017-0066-7.pdf]

You may also want to harden your kernel by adding at least some of the config changes recommended by <code>kernel-hardening-checker</code> [https://github.com/a13xp0p0v/kernel-hardening-checker/]

To increase the security of the boot process, if you have a TPM, you could set <code>CONFIG_INTEL_TXT=y</code> (Enable Intel(R) Trusted Execution Technology (Intel(R) TXT)) (which is not enabled in the hardened kernel by default), then you would need the SINIT module (provided only by Intel)[https://software.intel.com/en-us/articles/intel-trusted-execution-technology], a possibly compiled TrustedGrub2[https://github.com/Rohde-Schwarz-Cybersecurity/TrustedGRUB2], trousers[https://sourceforge.net/projects/trousers/?source=navbar], tboot[https://sourceforge.net/projects/tboot/]. These packages are not in aports and it is unknown if these tools work on musl. It's not recommended for Edge. Also, there would be trigger packages to generate hashes for the kernel and the mkinitfs updates.

== Setting up the Alpine Build System ==

First, you need to follow the steps in [[Creating_an_Alpine_package#Setup_your_system_and_account|Setup your system and account for building packages]]. You also need to configure your {{path|/etc/apk/repositories}} so that they search locally for your apks. See [[Creating_an_Alpine_package#Testing_the_package_locally|Testing the package locally]] for details.

After setting up accounts and repos, change your shell's current working directory to '''aports''' that you just cloned.

{{cmd|$ cd aports}}

== Working with aports ==

We will try using an existing lts kernel just tweaking the {{path|lts.ARCH.config}} file.

=== Switching to the proper release version ===

You need to switch to the proper branch that matches the release so that the kernel compiles against the dependencies properly.

{| cellpadding="5" border="1" class="wikitable"
|-
! Alpine version
! Remote branch
|-
| Edge
| master
|-
| 3.23.0
| 3.23-stable
|-
|}

The following is required to get access to the {{path|APKBUILD}} released for that version of Alpine and which you will create a commit for.

If you are on 3.23 do:

{{cmd|$ git checkout -b 3.23-stable origin/3.23-stable}}

If you are on Edge do:

{{cmd|$ git checkout master}}

=== Creating your config ===

You can use {{pkg|linux-lts}} but what you should do is create a local branch by doing:

For Alpine 3.23 (linux-lts - 6.18):

{{cmd|$ git checkout -b my-custom-kernel origin/3.23-stable}}

For Alpine Edge:

{{cmd|$ git checkout -b my-custom-kernel}}

Doing it this way, you do less work in maintaining. All you need to do is keep ''master'' or ''3.23-stable'' in sync[https://help.github.com/articles/syncing-a-fork/][https://help.github.com/articles/configuring-a-remote-for-a-fork/] and merge any conflicts.

First switch to the branch by doing
<code>git checkout my-custom-kernel</code>.
Then, you need to navigate to the {{path|main/linux-lts}} folder where you should see a APKBUILD and some config- files.

It is a good idea to use custom `FLAVOR` in order to change the name of your kernel and package (custom flavor or revision) so you newly build kernel will not override the existing linux-lts and it's modules. Flavor build will only use your config and omit files that are not for your cpu architectures or virt* configs.(Virt configs provide optimized kernel configurations for running Alpine as a guest in virtual machines.)
This will also speed up the process of applying kernel patches by applying it for your architecture only. (Obviously ARCH in the following example is whatever architecture x86, x86_64...you use.)

First make a copy of your ARCH config file:
<pre>
cp lts.x86_64.config lts-my_custom.x86_64.config
</pre>

Edit your custom config file and add your changes. When you are done with your edits you need to run checksum to update APKBUILD:

<code>FLAVOR=lts-my_custom abuild checksum</code>

Then commit your changes:

<code>git commit -a -m "Enabled these options ...."</code>

You do this so that git can keep your code separate from Alpine's and so your changes float forward between kernel updates.

== Adding custom patches ==

Custom patches should be added to ''sources=''.

After you added the URL, you need to produce a checksum by doing <code>abuild checksum</code>.

The custom patches may not be autopatched, due to being distributed as an archive or different patch level, so you need to define what to do with it in the prepare().

== Configuring kernel ==

Attempt to create a config for your currently running system and modules first.

To create a kernel config based on your currently running PC, use:
<code>make localmodconfig</code>
This command reads your current kernel's configuration from /proc/config.gz (if available) or /boot/config-* and creates a .config file that includes only the modules currently loaded on your system. This results in a minimal configuration tailored to your hardware.
Alternatively, you can use:
<code>make localyesconfig</code>
This is similar to ''localmodconfig'', but instead of building features as modules (m), it builds them directly into the kernel (y), which can result in a larger kernel image but eliminates the need for separate module files.
Note: Before running either command, make sure you have all the hardware you want to support actively in use (USB devices plugged in, network cards active, etc.) so their modules are loaded and included in the configuration.

The alternative is to use the kernel configuration menu in the build-NAME folder, but before you do that you need to <code>sudo apk add {{pkg|ncurses-dev}}</code>

After you are done using the menu in the build-NAME folder by doing <code>make menuconfig</code>, you want to remove <code>ncurses-dev</code>. When you are done, it will be stored in ''.config'' which you need to again override the {{path|lts.ARCH.config}} file. When you are done updating the {{path|config-NAME.ARCH}}, you need to do <code>abuild checksum</code>.

The options in the kernel config are typically defaults. If your device is old, it may be set to n by default.

=== Vanilla targets and tuning ===

{|cellpadding="5" border="1" class="wikitable"
!ARCH
!Processor Type / CPU Selection / System Type
!Code Generation / Instruction Extensions
!Timer Frequency
!Preemption Model
!Bitness
|-
|s390x
|IBM zEnterprise 114 and 196
|IBM zBC12 and zEC12 (<code>-march=zEC12 -mtune=zEC12</code>)
|1000 Hz
|No Forced Preemption (Server)
|64
|-
|ppc64le
|Server processors
|POWER8 (<code>-mcpu=power8</code>), AltiVec (<code>-Wa,-maltivec</code> to assembler or <code>-maltivec -mabi=altivec</code>), VSX
|1000 HZ
|No Forced Preemption (Server)
|64
|-
|ppc
|
512x/52xx/6xx/7xx/74xx/82xx/83xx/86xx
* Apple PowerMac based machines
|AltiVec (<code>-Wa,-maltivec</code> to assembler or <code>-maltivec -mabi=altivec</code>) on >=74xx
|1000 HZ
|No Forced Preemption (Server)
|32
|-
|x86_64
|Generic-x86-64
|(-mtune=generic ; SIMD assembly modules enabled based on simple compile test and/or presence of CPU flag)
|1000 HZ
|Voluntary Kernel Preemption (Desktop)
|64
|-
|x86
|586/K5/5x86/6x86/6x86MX
|(-mtune=generic ; SIMD assembly modules enabled based on simple compile test and/or presence of CPU flag)
|1000 HZ
|Voluntary Kernel Preemption (Desktop)
|32
|-
|armv7
|
* ARMv7 based platforms (Cortex-A, PJ4, Scorpion, Krait)
* Freescale i.MX family -- Cortex A (i.MX51, i.MX53, i.MX6 Quad/DualLite, i.MX6 SoloLite, i.MX6 SoloX, i.MX6 UltraLite, i.MX7 Dual)
* Qualcomm -- (MSM8X60, MSM8960, MSM8974)
* Allwinner SoCs -- (A10 (sun4i), A10s / A13 (sun5i), A31 (sun6i), A20 (sun7i), sun8i Family, (sun9i))
* ARM Ldt Versatile Express family --
|Either <code>-march=armv7-a</code> or <code>-march=armv5t -Wa,-march=armv7-a</code> based on a compile test. <code>-mfpu=vfp</code>
|1000 Hz
|Voluntary Kernel Preemption (Desktop)
|32
|-
|aarch64
|
* Allwinner sunxi 64-bit SoC Family
* Broadcom BCM2835 family
* Marvell Berlin SoC Family
* ARMv8 based Samsung Exynos SoC family
* ARMv8 based Freescale Layerscape SoC family
* Hisilicon SoC Family
* Mediatek MT65xx & MT81xx ARMv8 SoC
* Marvell EBU SoC Family
* Qualcomm Platforms
* Rockchip Platforms
* AMD Seattle SoC Family
* Altera's Stratix 10 SoCFPGA Family
* NVIDIA Tegra SoC Family
* Spreadtrum SoC platform
* Cavium Inc. Thunder SoC Family
* ARMv8 software model (Versatile Express)
* AppliedMicro X-Gene SOC Family
* Xilinx ZynqMP Family
|
|1000 HZ
|Voluntary Kernel Preemption (Desktop)
|64
|-
|}
If you do desktop multitasking, you may want to switch to Voluntary Kernel Preemption (Desktop) or Preemptible Kernel (Low-Latency Desktop) and up the Timer Frequency. If you run a dedicated render farm node or a dedicated bitcoin miner use No Forced Preemption (Server) and decrease the Timer Frequency.

Optimized modules (most are already compiled as modules):
* raid6 -- altivec, avx512, ssse3, avx2, mmx, sse, sse2, neon
* some operations of raid5 -- mmx (32 bit), sse (64 bit), avx
For Kernel API:
* 32-bit memcpy -- 3dnow
* 32-bit memory page clearing and copying -- sse (Athlon/K7 only), mmx
From x86/crypto, arm/crypto, powerpc/crypto:
* CAMELLIA -- avx2, avx, aes-ni
* CHACHA20 -- avx2, neon
* CAST5 -- avx
* CAST6 -- avx
* TWOFISH -- avx
* SERPENT -- avx2, avx, sse2
* SHA1 -- avx2, ssse3, neon, spe
* SHA2 -- avx2
* SHA256 -- ssse3, neon, spe
* SHA512 -- avx2, ssse3, neon
* POLY1305 -- avx2
* GHASH -- pclmulqdq (part of aes-ni), vmx (power8)
* AES -- aes-ni, neon, vmx (power8), spe
* CRC32 -- pclmulqdq, sse, neon, vmx (power8)
* CRCT10DIF -- pclmulqdq, sse, neon, vmx (power8)

=== Fast reboots with kexec ===
{{main|kexec}}

If you want to reboot the kernel fast avoiding the POST test, you need {{ic|doas apk add {{pkg|kexec-tools}}}} and enable kexec in the kernel:

Processor type and features
[*] kexec system call

=== Hibernation to prevent data loss ===

Power management and ACPI options
[*] Hibernation (aka 'suspend to disk')

Hibernation should be used if you have a laptop. You don't want the laptop to suddenly shut off resulting in data loss, you want it to save your work based on a percentage of battery life (this requires special script). When hibernation resumes, should lock and ask for credentials. Depending on your needs, the hibernated image can be encrypted/decrypted which again requires additional customization to scripts.

Hibernation with an unsanitized swap file is generally insecure because data and unlocked memory pages are swapped out in plaintext. To increase the security either disable swap or use an encrypted swap. The swap file/partition is typically used as the hibernation resume image.

== Building ==

Before building, make sure you have ccache installed. This should reduce compile time on multiple builds.
You may also want to read up on compile flags - perhaps you want your build to be optimized for speed (or size which is the default).
Review <code>/etc/abuild.conf</code> and set:
<pre>
PACKAGER_PRIVKEY="/home/MY_USER_HERE/.abuild/my-email@mydomain.com-ID.rsa"
USE_CCACHE=1
</pre>

If you have your config ready, first try building with <code>abuild -rK</code> which install most of the dependencies and keep buildtime temp dirs and files (srcdir/pkgdir/deps).

If it complains about a dependency like {{pkg|elfutils-dev}} use <code>-rKd</code>.
Then, when it prompts for values for new found config options just hold enter till it starts compiling the kernel.
Unless you removed or commented out <code>virt.*.config</code> configs
there should be two sets one for -lts and the other for the -virt.
Just {{Key|Ctrl}}+{{Key|C}} out of the compilation process after
the second set so you can further customize the config.
Then you go into the {{path|src/linux-VER}} and edit the config file.
Copy the {{path|.config}} file overriding the {{path|lts.ARCH.config}} in the srcdir.

== Installing ==

To install it you do a {{ic|doas apk add linux-NAME}} where NAME is your custom kernel name.

== Testing ==

Before you test, you should install the lts kernel too, using <code>apk add {{pkg|linux-lts}}</code>. You may be missing a module and can't boot, so you use the other kernel as the fallback boot kernel.

Normally during the installation using with ''apk'' there are tools that will update initramfs and a boot loader automatically for you. For easier debugging you may want to change boot loader config and remove <code>quiet</code> from linux command line in <code>/etc/default/grub</code> or <code>/etc/update-extlinux.conf</code>.
Or perhaps you want to change other kernel options in <code>/etc/mkinitfs/mkinitfs.conf</code> - please remember to generate initramfs and update your bootloader manually, eg:
<pre>
# mkinitfs
# grub-mkconfig -o /boot/grub/grub.cfg
</pre>

To test, first you should make a bootable Alpine USB image. Then, when you have your rescue USB done, you <code>reboot</code> the computer.

To test it, you basically do trial and error. Sometimes your config is missing something if you want to have a bare minimum setting.

If you are curious about correctness testing, some kernel modules or components do preform self tests at the beginning of the boot process. The tools may have test suites that you run with the make command.

== See Also ==
* [[Kernels]]
* [https://wiki.archlinux.org/title/Kernel Archwiki Kernels]
* [https://wiki.gentoo.org/wiki/Kernel Gentoo Wiki Kernel]
* [https://wiki.gentoo.org/wiki/Kernel/Configuration Gentoo Wiki Kernel Configuration]
* [[How to build the Alpine Linux kernel]]
* [[Kernel_live_patching|Kernel Live Patching (KLP)]]

[[Category:Kernel]]

Custom Kernel

2025-12-30T09:09:18Z

Pawciobiel: updated release branch to 23

{{Draft}}

This process of building a '''custom configured kernel''' assumes you are running on Alpine Linux utilizing abuild & aports.

== But why? ==

You want to build a custom kernel to enable experimental hardware or features or outdated hardware, to reduce bloat further, to tune the kernel to the hardware.

The lts kernel for most Alpine ARCHs uses defaults to balance throughput at the expense of some responsiveness, and support for many devices. You can tweak the kernel for desktop use and low latency and responsiveness.

You should disable modules to increase security. By default, Alpine will install modules but not disable most of them. Disabling modules will reduce an DMA attack but not eliminate it completely. If you have a newer processor with VT-d, you can mitigate as long as you:

Leave <code>CONFIG_INTEL_IOMMU_DEFAULT_ON=y</code> or pass <code>intel_iommu=on</code> as a kernel parameter and disable kernel logging so the attacker doesn't gain DMAR address information through dmesg.[https://blog.frizk.net/2016/11/disable-virtualization-based-security.html] Also remove references to the kernel version to calculate the IOMMU addresses.[https://link.springer.com/content/pdf/10.1186/s13173-017-0066-7.pdf]

You may also want to harden your kernel by adding at least some of the config changes recommended by <code>kernel-hardening-checker</code> [https://github.com/a13xp0p0v/kernel-hardening-checker/]

To increase the security of the boot process, if you have a TPM, you could set <code>CONFIG_INTEL_TXT=y</code> (Enable Intel(R) Trusted Execution Technology (Intel(R) TXT)) (which is not enabled in the hardened kernel by default), then you would need the SINIT module (provided only by Intel)[https://software.intel.com/en-us/articles/intel-trusted-execution-technology], a possibly compiled TrustedGrub2[https://github.com/Rohde-Schwarz-Cybersecurity/TrustedGRUB2], trousers[https://sourceforge.net/projects/trousers/?source=navbar], tboot[https://sourceforge.net/projects/tboot/]. These packages are not in aports and it is unknown if these tools work on musl. It's not recommended for Edge. Also, there would be trigger packages to generate hashes for the kernel and the mkinitfs updates.

== Setting up the Alpine Build System ==

First, you need to follow the steps in [[Creating_an_Alpine_package#Setup_your_system_and_account|Setup your system and account for building packages]]. You also need to configure your {{path|/etc/apk/repositories}} so that they search locally for your apks. See [[Creating_an_Alpine_package#Testing_the_package_locally|Testing the package locally]] for details.

After setting up accounts and repos, change your shell's current working directory to '''aports''' that you just cloned.

{{cmd|$ cd aports}}

== Working with aports ==

We will try using an existing lts kernel just tweaking the {{path|lts.ARCH.config}} file.

=== Switching to the proper release version ===

You need to switch to the proper branch that matches the release so that the kernel compiles against the dependencies properly.

{| cellpadding="5" border="1" class="wikitable"
|-
! Alpine version
! Remote branch
|-
| Edge
| master
|-
| 3.23.0
| 3.23-stable
|-
|}

The following is required to get access to the {{path|APKBUILD}} released for that version of Alpine and which you will create a commit for.

If you are on 3.23 do:

{{cmd|$ git checkout -b 3.23-stable origin/3.23-stable}}

If you are on Edge do:

{{cmd|$ git checkout master}}

=== Creating your config ===

You can use {{pkg|linux-lts}} but what you should do is create a local branch by doing:

For Alpine 3.22 (linux-lts - 6.12):

{{cmd|$ git checkout -b my-custom-kernel origin/3.22-stable}}

For Alpine Edge:

{{cmd|$ git checkout -b my-custom-kernel}}

Doing it this way, you do less work in maintaining. All you need to do is keep ''master'' or ''3.22-stable'' in sync[https://help.github.com/articles/syncing-a-fork/][https://help.github.com/articles/configuring-a-remote-for-a-fork/] and merge any conflicts.

First switch to the branch by doing
<code>git checkout my-custom-kernel</code>.
Then, you need to navigate to the {{path|main/linux-lts}} folder where you should see a APKBUILD and some config- files.

You may want to change APKBUILD to change the name of your kernel and package (custom flavor or revision) and comment out or remove lines with config files that are not for your cpu architectures or virt* configs that are for virtualized environments.(They provide optimized kernel configurations for running Alpine as a guest in virtual machines.)
Setting custom name/flavor will prevent overriding your default ''linux-lts'' kernel modules and commenting out unused configs will speed up the process of applying kernel patches by applying it for your architecture only. (Obviously ARCH in the following example is whatever architecture (x86, x86_64, ...) you use.)

<pre>
_flavor=lts-custom
pkgname=linux-$_flavor
pkgrel=0
pkgdesc="Linux ${_flavor} kernel (optimized)"
</pre>

When you are done with your edits to the APKBUILD file copy your config from {{path|lts.ARCH.config}} to {{path|.config}}. You can then move {{path|.config}} back overriding the {{path|lts.ARCH.config}} generated by <code>make localmodconfig</code> or <code>make menuconfig</code> (discussed below in the ''Configuring kernel'' section). After generating your config, you need to run <code>abuild checksum</code>.

Then add your changes, eg <code>git add APKBUILD lts.ARCH.config</code>.
And commit <code>git commit APKBUILD lts.ARCH.config -m "Enabled these options ...."</code> for your customization the '''ARCH'''itecture of your system. You do this so that git can keep your code separate from Alpine's and so your changes float forward between kernel updates.

== Adding custom patches ==

Custom patches should be added to ''sources=''.

After you added the URL, you need to produce a checksum by doing <code>abuild checksum</code>.

The custom patches may not be autopatched, due to being distributed as an archive or different patch level, so you need to define what to do with it in the prepare().

== Configuring kernel ==

Attempt to create a config for your currently running system and modules first.

To create a kernel config based on your currently running PC, use:
<code>make localmodconfig</code>
This command reads your current kernel's configuration from /proc/config.gz (if available) or /boot/config-* and creates a .config file that includes only the modules currently loaded on your system. This results in a minimal configuration tailored to your hardware.
Alternatively, you can use:
<code>make localyesconfig</code>
This is similar to ''localmodconfig'', but instead of building features as modules (m), it builds them directly into the kernel (y), which can result in a larger kernel image but eliminates the need for separate module files.
Note: Before running either command, make sure you have all the hardware you want to support actively in use (USB devices plugged in, network cards active, etc.) so their modules are loaded and included in the configuration.

The alternative is to use the kernel configuration menu in the build-NAME folder, but before you do that you need to <code>sudo apk add {{pkg|ncurses-dev}}</code>

After you are done using the menu in the build-NAME folder by doing <code>make menuconfig</code>, you want to remove <code>ncurses-dev</code>. When you are done, it will be stored in ''.config'' which you need to again override the {{path|lts.ARCH.config}} file. When you are done updating the {{path|config-NAME.ARCH}}, you need to do <code>abuild checksum</code>.

The options in the kernel config are typically defaults. If your device is old, it may be set to n by default.

=== Vanilla targets and tuning ===

{|cellpadding="5" border="1" class="wikitable"
!ARCH
!Processor Type / CPU Selection / System Type
!Code Generation / Instruction Extensions
!Timer Frequency
!Preemption Model
!Bitness
|-
|s390x
|IBM zEnterprise 114 and 196
|IBM zBC12 and zEC12 (<code>-march=zEC12 -mtune=zEC12</code>)
|1000 Hz
|No Forced Preemption (Server)
|64
|-
|ppc64le
|Server processors
|POWER8 (<code>-mcpu=power8</code>), AltiVec (<code>-Wa,-maltivec</code> to assembler or <code>-maltivec -mabi=altivec</code>), VSX
|1000 HZ
|No Forced Preemption (Server)
|64
|-
|ppc
|
512x/52xx/6xx/7xx/74xx/82xx/83xx/86xx
* Apple PowerMac based machines
|AltiVec (<code>-Wa,-maltivec</code> to assembler or <code>-maltivec -mabi=altivec</code>) on >=74xx
|1000 HZ
|No Forced Preemption (Server)
|32
|-
|x86_64
|Generic-x86-64
|(-mtune=generic ; SIMD assembly modules enabled based on simple compile test and/or presence of CPU flag)
|1000 HZ
|Voluntary Kernel Preemption (Desktop)
|64
|-
|x86
|586/K5/5x86/6x86/6x86MX
|(-mtune=generic ; SIMD assembly modules enabled based on simple compile test and/or presence of CPU flag)
|1000 HZ
|Voluntary Kernel Preemption (Desktop)
|32
|-
|armv7
|
* ARMv7 based platforms (Cortex-A, PJ4, Scorpion, Krait)
* Freescale i.MX family -- Cortex A (i.MX51, i.MX53, i.MX6 Quad/DualLite, i.MX6 SoloLite, i.MX6 SoloX, i.MX6 UltraLite, i.MX7 Dual)
* Qualcomm -- (MSM8X60, MSM8960, MSM8974)
* Allwinner SoCs -- (A10 (sun4i), A10s / A13 (sun5i), A31 (sun6i), A20 (sun7i), sun8i Family, (sun9i))
* ARM Ldt Versatile Express family --
|Either <code>-march=armv7-a</code> or <code>-march=armv5t -Wa,-march=armv7-a</code> based on a compile test. <code>-mfpu=vfp</code>
|1000 Hz
|Voluntary Kernel Preemption (Desktop)
|32
|-
|aarch64
|
* Allwinner sunxi 64-bit SoC Family
* Broadcom BCM2835 family
* Marvell Berlin SoC Family
* ARMv8 based Samsung Exynos SoC family
* ARMv8 based Freescale Layerscape SoC family
* Hisilicon SoC Family
* Mediatek MT65xx & MT81xx ARMv8 SoC
* Marvell EBU SoC Family
* Qualcomm Platforms
* Rockchip Platforms
* AMD Seattle SoC Family
* Altera's Stratix 10 SoCFPGA Family
* NVIDIA Tegra SoC Family
* Spreadtrum SoC platform
* Cavium Inc. Thunder SoC Family
* ARMv8 software model (Versatile Express)
* AppliedMicro X-Gene SOC Family
* Xilinx ZynqMP Family
|
|1000 HZ
|Voluntary Kernel Preemption (Desktop)
|64
|-
|}
If you do desktop multitasking, you may want to switch to Voluntary Kernel Preemption (Desktop) or Preemptible Kernel (Low-Latency Desktop) and up the Timer Frequency. If you run a dedicated render farm node or a dedicated bitcoin miner use No Forced Preemption (Server) and decrease the Timer Frequency.

Optimized modules (most are already compiled as modules):
* raid6 -- altivec, avx512, ssse3, avx2, mmx, sse, sse2, neon
* some operations of raid5 -- mmx (32 bit), sse (64 bit), avx
For Kernel API:
* 32-bit memcpy -- 3dnow
* 32-bit memory page clearing and copying -- sse (Athlon/K7 only), mmx
From x86/crypto, arm/crypto, powerpc/crypto:
* CAMELLIA -- avx2, avx, aes-ni
* CHACHA20 -- avx2, neon
* CAST5 -- avx
* CAST6 -- avx
* TWOFISH -- avx
* SERPENT -- avx2, avx, sse2
* SHA1 -- avx2, ssse3, neon, spe
* SHA2 -- avx2
* SHA256 -- ssse3, neon, spe
* SHA512 -- avx2, ssse3, neon
* POLY1305 -- avx2
* GHASH -- pclmulqdq (part of aes-ni), vmx (power8)
* AES -- aes-ni, neon, vmx (power8), spe
* CRC32 -- pclmulqdq, sse, neon, vmx (power8)
* CRCT10DIF -- pclmulqdq, sse, neon, vmx (power8)

=== Fast reboots with kexec ===
{{main|kexec}}

If you want to reboot the kernel fast avoiding the POST test, you need {{ic|doas apk add {{pkg|kexec-tools}}}} and enable kexec in the kernel:

Processor type and features
[*] kexec system call

=== Hibernation to prevent data loss ===

Power management and ACPI options
[*] Hibernation (aka 'suspend to disk')

Hibernation should be used if you have a laptop. You don't want the laptop to suddenly shut off resulting in data loss, you want it to save your work based on a percentage of battery life (this requires special script). When hibernation resumes, should lock and ask for credentials. Depending on your needs, the hibernated image can be encrypted/decrypted which again requires additional customization to scripts.

Hibernation with an unsanitized swap file is generally insecure because data and unlocked memory pages are swapped out in plaintext. To increase the security either disable swap or use an encrypted swap. The swap file/partition is typically used as the hibernation resume image.

== Building ==

Before building, make sure you have ccache installed. This should reduce compile time on multiple builds.
You may also want to read up on compile flags - perhaps you want your build to be optimized for speed (or size which is the default).
Review <code>/etc/abuild.conf</code> and set:
<pre>
PACKAGER_PRIVKEY="/home/MY_USER_HERE/.abuild/my-email@mydomain.com-ID.rsa"
USE_CCACHE=1
</pre>

If you have your config ready, first try building with <code>abuild -rK</code> which install most of the dependencies and keep buildtime temp dirs and files (srcdir/pkgdir/deps).

If it complains about a dependency like {{pkg|elfutils-dev}} use <code>-rKd</code>.
Then, when it prompts for values for new found config options just hold enter till it starts compiling the kernel.
Unless you removed or commented out <code>virt.*.config</code> configs
there should be two sets one for -lts and the other for the -virt.
Just {{Key|Ctrl}}+{{Key|C}} out of the compilation process after
the second set so you can further customize the config.
Then you go into the {{path|src/linux-VER}} and edit the config file.
Copy the {{path|.config}} file overriding the {{path|lts.ARCH.config}} in the srcdir.

== Installing ==

To install it you do a {{ic|doas apk add linux-NAME}} where NAME is your custom kernel name.

== Testing ==

Before you test, you should install the lts kernel too, using <code>apk add {{pkg|linux-lts}}</code>. You may be missing a module and can't boot, so you use the other kernel as the fallback boot kernel.

Normally during the installation using with ''apk'' there are tools that will update initramfs and a boot loader automatically for you. For easier debugging you may want to change boot loader config and remove <code>quiet</code> from linux command line in <code>/etc/default/grub</code> or <code>/etc/update-extlinux.conf</code>.
Or perhaps you want to change other kernel options in <code>/etc/mkinitfs/mkinitfs.conf</code> - please remember to generate initramfs and update your bootloader manually, eg:
<pre>
# mkinitfs
# grub-mkconfig -o /boot/grub/grub.cfg
</pre>

To test, first you should make a bootable Alpine USB image. Then, when you have your rescue USB done, you <code>reboot</code> the computer.

To test it, you basically do trial and error. Sometimes your config is missing something if you want to have a bare minimum setting.

If you are curious about correctness testing, some kernel modules or components do preform self tests at the beginning of the boot process. The tools may have test suites that you run with the make command.

== See Also ==
* [[Kernels]]
* [https://wiki.archlinux.org/title/Kernel Archwiki Kernels]
* [https://wiki.gentoo.org/wiki/Kernel Gentoo Wiki Kernel]
* [https://wiki.gentoo.org/wiki/Kernel/Configuration Gentoo Wiki Kernel Configuration]
* [[How to build the Alpine Linux kernel]]
* [[Kernel_live_patching|Kernel Live Patching (KLP)]]

[[Category:Kernel]]

Custom Kernel

2025-11-02T20:23:14Z

Pawciobiel: /* Testing */

{{Draft}}

This process of building a '''custom configured kernel''' assumes you are running on Alpine Linux utilizing abuild & aports.

== But why? ==

You want to build a custom kernel to enable experimental hardware or features or outdated hardware, to reduce bloat further, to tune the kernel to the hardware.

The lts kernel for most Alpine ARCHs uses defaults to balance throughput at the expense of some responsiveness, and support for many devices. You can tweak the kernel for desktop use and low latency and responsiveness.

You should disable modules to increase security. By default, Alpine will install modules but not disable most of them. Disabling modules will reduce an DMA attack but not eliminate it completely. If you have a newer processor with VT-d, you can mitigate as long as you:

Leave <code>CONFIG_INTEL_IOMMU_DEFAULT_ON=y</code> or pass <code>intel_iommu=on</code> as a kernel parameter and disable kernel logging so the attacker doesn't gain DMAR address information through dmesg.[https://blog.frizk.net/2016/11/disable-virtualization-based-security.html] Also remove references to the kernel version to calculate the IOMMU addresses.[https://link.springer.com/content/pdf/10.1186/s13173-017-0066-7.pdf]

You may also want to harden your kernel by adding at least some of the config changes recommended by <code>kernel-hardening-checker</code> [https://github.com/a13xp0p0v/kernel-hardening-checker/]

To increase the security of the boot process, if you have a TPM, you could set <code>CONFIG_INTEL_TXT=y</code> (Enable Intel(R) Trusted Execution Technology (Intel(R) TXT)) (which is not enabled in the hardened kernel by default), then you would need the SINIT module (provided only by Intel)[https://software.intel.com/en-us/articles/intel-trusted-execution-technology], a possibly compiled TrustedGrub2[https://github.com/Rohde-Schwarz-Cybersecurity/TrustedGRUB2], trousers[https://sourceforge.net/projects/trousers/?source=navbar], tboot[https://sourceforge.net/projects/tboot/]. These packages are not in aports and it is unknown if these tools work on musl. It's not recommended for Edge. Also, there would be trigger packages to generate hashes for the kernel and the mkinitfs updates.

== Setting up the Alpine Build System ==

First, you need to follow the steps in [[Creating_an_Alpine_package#Setup_your_system_and_account|Setup your system and account for building packages]]. You also need to configure your {{path|/etc/apk/repositories}} so that they search locally for your apks. See [[Creating_an_Alpine_package#Testing_the_package_locally|Testing the package locally]] for details.

After setting up accounts and repos, change your shell's current working directory to '''aports''' that you just cloned.

{{cmd|$ cd aports}}

== Working with aports ==

We will try using an existing lts kernel just tweaking the {{path|lts.ARCH.config}} file.

=== Switching to the proper release version ===

You need to switch to the proper branch that matches the release so that the kernel compiles against the dependencies properly.

{| cellpadding="5" border="1" class="wikitable"
|-
! Alpine version
! Remote branch
|-
| Edge
| master
|-
| 3.22.0
| 3.22-stable
|-
|}

The following is required to get access to the {{path|APKBUILD}} released for that version of Alpine and which you will create a commit for.

If you are on 3.22 do:

{{cmd|$ git checkout -b 3.22-stable origin/3.22-stable}}

If you are on Edge do:

{{cmd|$ git checkout master}}

=== Creating your config ===

You can use {{pkg|linux-lts}} but what you should do is create a local branch by doing:

For Alpine 3.22 (linux-lts - 6.12):

{{cmd|$ git checkout -b my-custom-kernel origin/3.22-stable}}

For Alpine Edge:

{{cmd|$ git checkout -b my-custom-kernel}}

Doing it this way, you do less work in maintaining. All you need to do is keep ''master'' or ''3.22-stable'' in sync[https://help.github.com/articles/syncing-a-fork/][https://help.github.com/articles/configuring-a-remote-for-a-fork/] and merge any conflicts.

First switch to the branch by doing
<code>git checkout my-custom-kernel</code>.
Then, you need to navigate to the {{path|main/linux-lts}} folder where you should see a APKBUILD and some config- files.

You may want to change APKBUILD to change the name of your kernel and package (custom flavor or revision) and comment out or remove lines with config files that are not for your cpu architectures or virt* configs that are for virtualized environments.(They provide optimized kernel configurations for running Alpine as a guest in virtual machines.)
Setting custom name/flavor will prevent overriding your default ''linux-lts'' kernel modules and commenting out unused configs will speed up the process of applying kernel patches by applying it for your architecture only. (Obviously ARCH in the following example is whatever architecture (x86, x86_64, ...) you use.)

<pre>
_flavor=lts-custom
pkgname=linux-$_flavor
pkgrel=0
pkgdesc="Linux ${_flavor} kernel (optimized)"
</pre>

When you are done with your edits to the APKBUILD file copy your config from {{path|lts.ARCH.config}} to {{path|.config}}. You can then move {{path|.config}} back overriding the {{path|lts.ARCH.config}} generated by <code>make localmodconfig</code> or <code>make menuconfig</code> (discussed below in the ''Configuring kernel'' section). After generating your config, you need to run <code>abuild checksum</code>.

Then add your changes, eg <code>git add APKBUILD lts.ARCH.config</code>.
And commit <code>git commit APKBUILD lts.ARCH.config -m "Enabled these options ...."</code> for your customization the '''ARCH'''itecture of your system. You do this so that git can keep your code separate from Alpine's and so your changes float forward between kernel updates.

== Adding custom patches ==

Custom patches should be added to ''sources=''.

After you added the URL, you need to produce a checksum by doing <code>abuild checksum</code>.

The custom patches may not be autopatched, due to being distributed as an archive or different patch level, so you need to define what to do with it in the prepare().

== Configuring kernel ==

Attempt to create a config for your currently running system and modules first.

To create a kernel config based on your currently running PC, use:
<code>make localmodconfig</code>
This command reads your current kernel's configuration from /proc/config.gz (if available) or /boot/config-* and creates a .config file that includes only the modules currently loaded on your system. This results in a minimal configuration tailored to your hardware.
Alternatively, you can use:
<code>make localyesconfig</code>
This is similar to ''localmodconfig'', but instead of building features as modules (m), it builds them directly into the kernel (y), which can result in a larger kernel image but eliminates the need for separate module files.
Note: Before running either command, make sure you have all the hardware you want to support actively in use (USB devices plugged in, network cards active, etc.) so their modules are loaded and included in the configuration.

The alternative is to use the kernel configuration menu in the build-NAME folder, but before you do that you need to <code>sudo apk add {{pkg|ncurses-dev}}</code>

After you are done using the menu in the build-NAME folder by doing <code>make menuconfig</code>, you want to remove <code>ncurses-dev</code>. When you are done, it will be stored in ''.config'' which you need to again override the {{path|lts.ARCH.config}} file. When you are done updating the {{path|config-NAME.ARCH}}, you need to do <code>abuild checksum</code>.

The options in the kernel config are typically defaults. If your device is old, it may be set to n by default.

=== Vanilla targets and tuning ===

{|cellpadding="5" border="1" class="wikitable"
!ARCH
!Processor Type / CPU Selection / System Type
!Code Generation / Instruction Extensions
!Timer Frequency
!Preemption Model
!Bitness
|-
|s390x
|IBM zEnterprise 114 and 196
|IBM zBC12 and zEC12 (<code>-march=zEC12 -mtune=zEC12</code>)
|1000 Hz
|No Forced Preemption (Server)
|64
|-
|ppc64le
|Server processors
|POWER8 (<code>-mcpu=power8</code>), AltiVec (<code>-Wa,-maltivec</code> to assembler or <code>-maltivec -mabi=altivec</code>), VSX
|1000 HZ
|No Forced Preemption (Server)
|64
|-
|ppc
|
512x/52xx/6xx/7xx/74xx/82xx/83xx/86xx
* Apple PowerMac based machines
|AltiVec (<code>-Wa,-maltivec</code> to assembler or <code>-maltivec -mabi=altivec</code>) on >=74xx
|1000 HZ
|No Forced Preemption (Server)
|32
|-
|x86_64
|Generic-x86-64
|(-mtune=generic ; SIMD assembly modules enabled based on simple compile test and/or presence of CPU flag)
|1000 HZ
|Voluntary Kernel Preemption (Desktop)
|64
|-
|x86
|586/K5/5x86/6x86/6x86MX
|(-mtune=generic ; SIMD assembly modules enabled based on simple compile test and/or presence of CPU flag)
|1000 HZ
|Voluntary Kernel Preemption (Desktop)
|32
|-
|armv7
|
* ARMv7 based platforms (Cortex-A, PJ4, Scorpion, Krait)
* Freescale i.MX family -- Cortex A (i.MX51, i.MX53, i.MX6 Quad/DualLite, i.MX6 SoloLite, i.MX6 SoloX, i.MX6 UltraLite, i.MX7 Dual)
* Qualcomm -- (MSM8X60, MSM8960, MSM8974)
* Allwinner SoCs -- (A10 (sun4i), A10s / A13 (sun5i), A31 (sun6i), A20 (sun7i), sun8i Family, (sun9i))
* ARM Ldt Versatile Express family --
|Either <code>-march=armv7-a</code> or <code>-march=armv5t -Wa,-march=armv7-a</code> based on a compile test. <code>-mfpu=vfp</code>
|1000 Hz
|Voluntary Kernel Preemption (Desktop)
|32
|-
|aarch64
|
* Allwinner sunxi 64-bit SoC Family
* Broadcom BCM2835 family
* Marvell Berlin SoC Family
* ARMv8 based Samsung Exynos SoC family
* ARMv8 based Freescale Layerscape SoC family
* Hisilicon SoC Family
* Mediatek MT65xx & MT81xx ARMv8 SoC
* Marvell EBU SoC Family
* Qualcomm Platforms
* Rockchip Platforms
* AMD Seattle SoC Family
* Altera's Stratix 10 SoCFPGA Family
* NVIDIA Tegra SoC Family
* Spreadtrum SoC platform
* Cavium Inc. Thunder SoC Family
* ARMv8 software model (Versatile Express)
* AppliedMicro X-Gene SOC Family
* Xilinx ZynqMP Family
|
|1000 HZ
|Voluntary Kernel Preemption (Desktop)
|64
|-
|}
If you do desktop multitasking, you may want to switch to Voluntary Kernel Preemption (Desktop) or Preemptible Kernel (Low-Latency Desktop) and up the Timer Frequency. If you run a dedicated render farm node or a dedicated bitcoin miner use No Forced Preemption (Server) and decrease the Timer Frequency.

Optimized modules (most are already compiled as modules):
* raid6 -- altivec, avx512, ssse3, avx2, mmx, sse, sse2, neon
* some operations of raid5 -- mmx (32 bit), sse (64 bit), avx
For Kernel API:
* 32-bit memcpy -- 3dnow
* 32-bit memory page clearing and copying -- sse (Athlon/K7 only), mmx
From x86/crypto, arm/crypto, powerpc/crypto:
* CAMELLIA -- avx2, avx, aes-ni
* CHACHA20 -- avx2, neon
* CAST5 -- avx
* CAST6 -- avx
* TWOFISH -- avx
* SERPENT -- avx2, avx, sse2
* SHA1 -- avx2, ssse3, neon, spe
* SHA2 -- avx2
* SHA256 -- ssse3, neon, spe
* SHA512 -- avx2, ssse3, neon
* POLY1305 -- avx2
* GHASH -- pclmulqdq (part of aes-ni), vmx (power8)
* AES -- aes-ni, neon, vmx (power8), spe
* CRC32 -- pclmulqdq, sse, neon, vmx (power8)
* CRCT10DIF -- pclmulqdq, sse, neon, vmx (power8)

=== Fast reboots with kexec ===
{{main|kexec}}

If you want to reboot the kernel fast avoiding the POST test, you need {{ic|doas apk add {{pkg|kexec-tools}}}} and enable kexec in the kernel:

Processor type and features
[*] kexec system call

=== Hibernation to prevent data loss ===

Power management and ACPI options
[*] Hibernation (aka 'suspend to disk')

Hibernation should be used if you have a laptop. You don't want the laptop to suddenly shut off resulting in data loss, you want it to save your work based on a percentage of battery life (this requires special script). When hibernation resumes, should lock and ask for credentials. Depending on your needs, the hibernated image can be encrypted/decrypted which again requires additional customization to scripts.

Hibernation with an unsanitized swap file is generally insecure because data and unlocked memory pages are swapped out in plaintext. To increase the security either disable swap or use an encrypted swap. The swap file/partition is typically used as the hibernation resume image.

== Building ==

Before building, make sure you have ccache installed. This should reduce compile time on multiple builds.
You may also want to read up on compile flags - perhaps you want your build to be optimized for speed (or size which is the default).
Review <code>/etc/abuild.conf</code> and set:
<pre>
PACKAGER_PRIVKEY="/home/MY_USER_HERE/.abuild/my-email@mydomain.com-ID.rsa"
USE_CCACHE=1
</pre>

If you have your config ready, first try building with <code>abuild -rK</code> which install most of the dependencies and keep buildtime temp dirs and files (srcdir/pkgdir/deps).

If it complains about a dependency like {{pkg|elfutils-dev}} use <code>-rKd</code>.
Then, when it prompts for values for new found config options just hold enter till it starts compiling the kernel.
Unless you removed or commented out <code>virt.*.config</code> configs
there should be two sets one for -lts and the other for the -virt.
Just {{Key|Ctrl}}+{{Key|C}} out of the compilation process after
the second set so you can further customize the config.
Then you go into the {{path|src/linux-VER}} and edit the config file.
Copy the {{path|.config}} file overriding the {{path|lts.ARCH.config}} in the srcdir.

== Installing ==

To install it you do a {{ic|doas apk add linux-NAME}} where NAME is your custom kernel name.

== Testing ==

Before you test, you should install the lts kernel too, using <code>apk add {{pkg|linux-lts}}</code>. You may be missing a module and can't boot, so you use the other kernel as the fallback boot kernel.

Normally during the installation using with ''apk'' there are tools that will update initramfs and a boot loader automatically for you. For easier debugging you may want to change boot loader config and remove <code>quiet</code> from linux command line in <code>/etc/default/grub</code> or <code>/etc/update-extlinux.conf</code>.
Or perhaps you want to change other kernel options in <code>/etc/mkinitfs/mkinitfs.conf</code> - please remember to generate initramfs and update your bootloader manually, eg:
<pre>
# mkinitfs
# grub-mkconfig -o /boot/grub/grub.cfg
</pre>

To test, first you should make a bootable Alpine USB image. Then, when you have your rescue USB done, you <code>reboot</code> the computer.

To test it, you basically do trial and error. Sometimes your config is missing something if you want to have a bare minimum setting.

If you are curious about correctness testing, some kernel modules or components do preform self tests at the beginning of the boot process. The tools may have test suites that you run with the make command.

== See Also ==
* [https://wiki.archlinux.org/title/Kernel Archwiki Kernels]
* [https://wiki.gentoo.org/wiki/Kernel Gentoo Wiki Kernel]
* [https://wiki.gentoo.org/wiki/Kernel/Configuration Gentoo Wiki Kernel Configuration]
* [[How to build the Alpine Linux kernel]]

[[Category:Kernel]]

Custom Kernel

2025-11-02T20:22:23Z

Pawciobiel: /* Building */

{{Draft}}

This process of building a '''custom configured kernel''' assumes you are running on Alpine Linux utilizing abuild & aports.

== But why? ==

You want to build a custom kernel to enable experimental hardware or features or outdated hardware, to reduce bloat further, to tune the kernel to the hardware.

The lts kernel for most Alpine ARCHs uses defaults to balance throughput at the expense of some responsiveness, and support for many devices. You can tweak the kernel for desktop use and low latency and responsiveness.

You should disable modules to increase security. By default, Alpine will install modules but not disable most of them. Disabling modules will reduce an DMA attack but not eliminate it completely. If you have a newer processor with VT-d, you can mitigate as long as you:

Leave <code>CONFIG_INTEL_IOMMU_DEFAULT_ON=y</code> or pass <code>intel_iommu=on</code> as a kernel parameter and disable kernel logging so the attacker doesn't gain DMAR address information through dmesg.[https://blog.frizk.net/2016/11/disable-virtualization-based-security.html] Also remove references to the kernel version to calculate the IOMMU addresses.[https://link.springer.com/content/pdf/10.1186/s13173-017-0066-7.pdf]

You may also want to harden your kernel by adding at least some of the config changes recommended by <code>kernel-hardening-checker</code> [https://github.com/a13xp0p0v/kernel-hardening-checker/]

To increase the security of the boot process, if you have a TPM, you could set <code>CONFIG_INTEL_TXT=y</code> (Enable Intel(R) Trusted Execution Technology (Intel(R) TXT)) (which is not enabled in the hardened kernel by default), then you would need the SINIT module (provided only by Intel)[https://software.intel.com/en-us/articles/intel-trusted-execution-technology], a possibly compiled TrustedGrub2[https://github.com/Rohde-Schwarz-Cybersecurity/TrustedGRUB2], trousers[https://sourceforge.net/projects/trousers/?source=navbar], tboot[https://sourceforge.net/projects/tboot/]. These packages are not in aports and it is unknown if these tools work on musl. It's not recommended for Edge. Also, there would be trigger packages to generate hashes for the kernel and the mkinitfs updates.

== Setting up the Alpine Build System ==

First, you need to follow the steps in [[Creating_an_Alpine_package#Setup_your_system_and_account|Setup your system and account for building packages]]. You also need to configure your {{path|/etc/apk/repositories}} so that they search locally for your apks. See [[Creating_an_Alpine_package#Testing_the_package_locally|Testing the package locally]] for details.

After setting up accounts and repos, change your shell's current working directory to '''aports''' that you just cloned.

{{cmd|$ cd aports}}

== Working with aports ==

We will try using an existing lts kernel just tweaking the {{path|lts.ARCH.config}} file.

=== Switching to the proper release version ===

You need to switch to the proper branch that matches the release so that the kernel compiles against the dependencies properly.

{| cellpadding="5" border="1" class="wikitable"
|-
! Alpine version
! Remote branch
|-
| Edge
| master
|-
| 3.22.0
| 3.22-stable
|-
|}

The following is required to get access to the {{path|APKBUILD}} released for that version of Alpine and which you will create a commit for.

If you are on 3.22 do:

{{cmd|$ git checkout -b 3.22-stable origin/3.22-stable}}

If you are on Edge do:

{{cmd|$ git checkout master}}

=== Creating your config ===

You can use {{pkg|linux-lts}} but what you should do is create a local branch by doing:

For Alpine 3.22 (linux-lts - 6.12):

{{cmd|$ git checkout -b my-custom-kernel origin/3.22-stable}}

For Alpine Edge:

{{cmd|$ git checkout -b my-custom-kernel}}

Doing it this way, you do less work in maintaining. All you need to do is keep ''master'' or ''3.22-stable'' in sync[https://help.github.com/articles/syncing-a-fork/][https://help.github.com/articles/configuring-a-remote-for-a-fork/] and merge any conflicts.

First switch to the branch by doing
<code>git checkout my-custom-kernel</code>.
Then, you need to navigate to the {{path|main/linux-lts}} folder where you should see a APKBUILD and some config- files.

You may want to change APKBUILD to change the name of your kernel and package (custom flavor or revision) and comment out or remove lines with config files that are not for your cpu architectures or virt* configs that are for virtualized environments.(They provide optimized kernel configurations for running Alpine as a guest in virtual machines.)
Setting custom name/flavor will prevent overriding your default ''linux-lts'' kernel modules and commenting out unused configs will speed up the process of applying kernel patches by applying it for your architecture only. (Obviously ARCH in the following example is whatever architecture (x86, x86_64, ...) you use.)

<pre>
_flavor=lts-custom
pkgname=linux-$_flavor
pkgrel=0
pkgdesc="Linux ${_flavor} kernel (optimized)"
</pre>

When you are done with your edits to the APKBUILD file copy your config from {{path|lts.ARCH.config}} to {{path|.config}}. You can then move {{path|.config}} back overriding the {{path|lts.ARCH.config}} generated by <code>make localmodconfig</code> or <code>make menuconfig</code> (discussed below in the ''Configuring kernel'' section). After generating your config, you need to run <code>abuild checksum</code>.

Then add your changes, eg <code>git add APKBUILD lts.ARCH.config</code>.
And commit <code>git commit APKBUILD lts.ARCH.config -m "Enabled these options ...."</code> for your customization the '''ARCH'''itecture of your system. You do this so that git can keep your code separate from Alpine's and so your changes float forward between kernel updates.

== Adding custom patches ==

Custom patches should be added to ''sources=''.

After you added the URL, you need to produce a checksum by doing <code>abuild checksum</code>.

The custom patches may not be autopatched, due to being distributed as an archive or different patch level, so you need to define what to do with it in the prepare().

== Configuring kernel ==

Attempt to create a config for your currently running system and modules first.

To create a kernel config based on your currently running PC, use:
<code>make localmodconfig</code>
This command reads your current kernel's configuration from /proc/config.gz (if available) or /boot/config-* and creates a .config file that includes only the modules currently loaded on your system. This results in a minimal configuration tailored to your hardware.
Alternatively, you can use:
<code>make localyesconfig</code>
This is similar to ''localmodconfig'', but instead of building features as modules (m), it builds them directly into the kernel (y), which can result in a larger kernel image but eliminates the need for separate module files.
Note: Before running either command, make sure you have all the hardware you want to support actively in use (USB devices plugged in, network cards active, etc.) so their modules are loaded and included in the configuration.

The alternative is to use the kernel configuration menu in the build-NAME folder, but before you do that you need to <code>sudo apk add {{pkg|ncurses-dev}}</code>

After you are done using the menu in the build-NAME folder by doing <code>make menuconfig</code>, you want to remove <code>ncurses-dev</code>. When you are done, it will be stored in ''.config'' which you need to again override the {{path|lts.ARCH.config}} file. When you are done updating the {{path|config-NAME.ARCH}}, you need to do <code>abuild checksum</code>.

The options in the kernel config are typically defaults. If your device is old, it may be set to n by default.

=== Vanilla targets and tuning ===

{|cellpadding="5" border="1" class="wikitable"
!ARCH
!Processor Type / CPU Selection / System Type
!Code Generation / Instruction Extensions
!Timer Frequency
!Preemption Model
!Bitness
|-
|s390x
|IBM zEnterprise 114 and 196
|IBM zBC12 and zEC12 (<code>-march=zEC12 -mtune=zEC12</code>)
|1000 Hz
|No Forced Preemption (Server)
|64
|-
|ppc64le
|Server processors
|POWER8 (<code>-mcpu=power8</code>), AltiVec (<code>-Wa,-maltivec</code> to assembler or <code>-maltivec -mabi=altivec</code>), VSX
|1000 HZ
|No Forced Preemption (Server)
|64
|-
|ppc
|
512x/52xx/6xx/7xx/74xx/82xx/83xx/86xx
* Apple PowerMac based machines
|AltiVec (<code>-Wa,-maltivec</code> to assembler or <code>-maltivec -mabi=altivec</code>) on >=74xx
|1000 HZ
|No Forced Preemption (Server)
|32
|-
|x86_64
|Generic-x86-64
|(-mtune=generic ; SIMD assembly modules enabled based on simple compile test and/or presence of CPU flag)
|1000 HZ
|Voluntary Kernel Preemption (Desktop)
|64
|-
|x86
|586/K5/5x86/6x86/6x86MX
|(-mtune=generic ; SIMD assembly modules enabled based on simple compile test and/or presence of CPU flag)
|1000 HZ
|Voluntary Kernel Preemption (Desktop)
|32
|-
|armv7
|
* ARMv7 based platforms (Cortex-A, PJ4, Scorpion, Krait)
* Freescale i.MX family -- Cortex A (i.MX51, i.MX53, i.MX6 Quad/DualLite, i.MX6 SoloLite, i.MX6 SoloX, i.MX6 UltraLite, i.MX7 Dual)
* Qualcomm -- (MSM8X60, MSM8960, MSM8974)
* Allwinner SoCs -- (A10 (sun4i), A10s / A13 (sun5i), A31 (sun6i), A20 (sun7i), sun8i Family, (sun9i))
* ARM Ldt Versatile Express family --
|Either <code>-march=armv7-a</code> or <code>-march=armv5t -Wa,-march=armv7-a</code> based on a compile test. <code>-mfpu=vfp</code>
|1000 Hz
|Voluntary Kernel Preemption (Desktop)
|32
|-
|aarch64
|
* Allwinner sunxi 64-bit SoC Family
* Broadcom BCM2835 family
* Marvell Berlin SoC Family
* ARMv8 based Samsung Exynos SoC family
* ARMv8 based Freescale Layerscape SoC family
* Hisilicon SoC Family
* Mediatek MT65xx & MT81xx ARMv8 SoC
* Marvell EBU SoC Family
* Qualcomm Platforms
* Rockchip Platforms
* AMD Seattle SoC Family
* Altera's Stratix 10 SoCFPGA Family
* NVIDIA Tegra SoC Family
* Spreadtrum SoC platform
* Cavium Inc. Thunder SoC Family
* ARMv8 software model (Versatile Express)
* AppliedMicro X-Gene SOC Family
* Xilinx ZynqMP Family
|
|1000 HZ
|Voluntary Kernel Preemption (Desktop)
|64
|-
|}
If you do desktop multitasking, you may want to switch to Voluntary Kernel Preemption (Desktop) or Preemptible Kernel (Low-Latency Desktop) and up the Timer Frequency. If you run a dedicated render farm node or a dedicated bitcoin miner use No Forced Preemption (Server) and decrease the Timer Frequency.

Optimized modules (most are already compiled as modules):
* raid6 -- altivec, avx512, ssse3, avx2, mmx, sse, sse2, neon
* some operations of raid5 -- mmx (32 bit), sse (64 bit), avx
For Kernel API:
* 32-bit memcpy -- 3dnow
* 32-bit memory page clearing and copying -- sse (Athlon/K7 only), mmx
From x86/crypto, arm/crypto, powerpc/crypto:
* CAMELLIA -- avx2, avx, aes-ni
* CHACHA20 -- avx2, neon
* CAST5 -- avx
* CAST6 -- avx
* TWOFISH -- avx
* SERPENT -- avx2, avx, sse2
* SHA1 -- avx2, ssse3, neon, spe
* SHA2 -- avx2
* SHA256 -- ssse3, neon, spe
* SHA512 -- avx2, ssse3, neon
* POLY1305 -- avx2
* GHASH -- pclmulqdq (part of aes-ni), vmx (power8)
* AES -- aes-ni, neon, vmx (power8), spe
* CRC32 -- pclmulqdq, sse, neon, vmx (power8)
* CRCT10DIF -- pclmulqdq, sse, neon, vmx (power8)

=== Fast reboots with kexec ===
{{main|kexec}}

If you want to reboot the kernel fast avoiding the POST test, you need {{ic|doas apk add {{pkg|kexec-tools}}}} and enable kexec in the kernel:

Processor type and features
[*] kexec system call

=== Hibernation to prevent data loss ===

Power management and ACPI options
[*] Hibernation (aka 'suspend to disk')

Hibernation should be used if you have a laptop. You don't want the laptop to suddenly shut off resulting in data loss, you want it to save your work based on a percentage of battery life (this requires special script). When hibernation resumes, should lock and ask for credentials. Depending on your needs, the hibernated image can be encrypted/decrypted which again requires additional customization to scripts.

Hibernation with an unsanitized swap file is generally insecure because data and unlocked memory pages are swapped out in plaintext. To increase the security either disable swap or use an encrypted swap. The swap file/partition is typically used as the hibernation resume image.

== Building ==

Before building, make sure you have ccache installed. This should reduce compile time on multiple builds.
You may also want to read up on compile flags - perhaps you want your build to be optimized for speed (or size which is the default).
Review <code>/etc/abuild.conf</code> and set:
<pre>
PACKAGER_PRIVKEY="/home/MY_USER_HERE/.abuild/my-email@mydomain.com-ID.rsa"
USE_CCACHE=1
</pre>

If you have your config ready, first try building with <code>abuild -rK</code> which install most of the dependencies and keep buildtime temp dirs and files (srcdir/pkgdir/deps).

If it complains about a dependency like {{pkg|elfutils-dev}} use <code>-rKd</code>.
Then, when it prompts for values for new found config options just hold enter till it starts compiling the kernel.
Unless you removed or commented out <code>virt.*.config</code> configs
there should be two sets one for -lts and the other for the -virt.
Just {{Key|Ctrl}}+{{Key|C}} out of the compilation process after
the second set so you can further customize the config.
Then you go into the {{path|src/linux-VER}} and edit the config file.
Copy the {{path|.config}} file overriding the {{path|lts.ARCH.config}} in the srcdir.

== Installing ==

To install it you do a {{ic|doas apk add linux-NAME}} where NAME is your custom kernel name.

== Testing ==

Before you test, you should install the lts kernel too, using <code>apk add {{pkg|linux-lts}}</code>. You may be missing a module and can't boot, so you use the other kernel as the fallback boot kernel.

Normally during the installation using with ''apk'' there are tools that will update initramfs and a boot loader automatically for you. For easier debugging you may want to change boot loader config and remove <code>quiet</code> from linux command line in <code>/etc/default/grub</code> or <code>/etc/update-extlinux.conf</code>.
Or perhaps you want to change other kernel options in <code>/etc/mkinitfs/mkinitfs.conf</code> - please remember to generate initramfs and update your bootloader manually, eg:
<code>
# mkinitfs
# grub-mkconfig -o /boot/grub/grub.cfg
</code>

To test, first you should make a bootable Alpine USB image. Then, when you have your rescue USB done, you <code>reboot</code> the computer.

To test it, you basically do trial and error. Sometimes your config is missing something if you want to have a bare minimum setting.

If you are curious about correctness testing, some kernel modules or components do preform self tests at the beginning of the boot process. The tools may have test suites that you run with the make command.

== See Also ==
* [https://wiki.archlinux.org/title/Kernel Archwiki Kernels]
* [https://wiki.gentoo.org/wiki/Kernel Gentoo Wiki Kernel]
* [https://wiki.gentoo.org/wiki/Kernel/Configuration Gentoo Wiki Kernel Configuration]
* [[How to build the Alpine Linux kernel]]

[[Category:Kernel]]

Custom Kernel

2025-11-02T20:06:45Z

Pawciobiel: update code example with custom flavor

{{Draft}}

This process of building a '''custom configured kernel''' assumes you are running on Alpine Linux utilizing abuild & aports.

== But why? ==

You want to build a custom kernel to enable experimental hardware or features or outdated hardware, to reduce bloat further, to tune the kernel to the hardware.

The lts kernel for most Alpine ARCHs uses defaults to balance throughput at the expense of some responsiveness, and support for many devices. You can tweak the kernel for desktop use and low latency and responsiveness.

You should disable modules to increase security. By default, Alpine will install modules but not disable most of them. Disabling modules will reduce an DMA attack but not eliminate it completely. If you have a newer processor with VT-d, you can mitigate as long as you:

Leave <code>CONFIG_INTEL_IOMMU_DEFAULT_ON=y</code> or pass <code>intel_iommu=on</code> as a kernel parameter and disable kernel logging so the attacker doesn't gain DMAR address information through dmesg.[https://blog.frizk.net/2016/11/disable-virtualization-based-security.html] Also remove references to the kernel version to calculate the IOMMU addresses.[https://link.springer.com/content/pdf/10.1186/s13173-017-0066-7.pdf]

You may also want to harden your kernel by adding at least some of the config changes recommended by <code>kernel-hardening-checker</code> [https://github.com/a13xp0p0v/kernel-hardening-checker/]

To increase the security of the boot process, if you have a TPM, you could set <code>CONFIG_INTEL_TXT=y</code> (Enable Intel(R) Trusted Execution Technology (Intel(R) TXT)) (which is not enabled in the hardened kernel by default), then you would need the SINIT module (provided only by Intel)[https://software.intel.com/en-us/articles/intel-trusted-execution-technology], a possibly compiled TrustedGrub2[https://github.com/Rohde-Schwarz-Cybersecurity/TrustedGRUB2], trousers[https://sourceforge.net/projects/trousers/?source=navbar], tboot[https://sourceforge.net/projects/tboot/]. These packages are not in aports and it is unknown if these tools work on musl. It's not recommended for Edge. Also, there would be trigger packages to generate hashes for the kernel and the mkinitfs updates.

== Setting up the Alpine Build System ==

First, you need to follow the steps in [[Creating_an_Alpine_package#Setup_your_system_and_account|Setup your system and account for building packages]]. You also need to configure your {{path|/etc/apk/repositories}} so that they search locally for your apks. See [[Creating_an_Alpine_package#Testing_the_package_locally|Testing the package locally]] for details.

After setting up accounts and repos, change your shell's current working directory to '''aports''' that you just cloned.

{{cmd|$ cd aports}}

== Working with aports ==

We will try using an existing lts kernel just tweaking the {{path|lts.ARCH.config}} file.

=== Switching to the proper release version ===

You need to switch to the proper branch that matches the release so that the kernel compiles against the dependencies properly.

{| cellpadding="5" border="1" class="wikitable"
|-
! Alpine version
! Remote branch
|-
| Edge
| master
|-
| 3.22.0
| 3.22-stable
|-
|}

The following is required to get access to the {{path|APKBUILD}} released for that version of Alpine and which you will create a commit for.

If you are on 3.22 do:

{{cmd|$ git checkout -b 3.22-stable origin/3.22-stable}}

If you are on Edge do:

{{cmd|$ git checkout master}}

=== Creating your config ===

You can use {{pkg|linux-lts}} but what you should do is create a local branch by doing:

For Alpine 3.22 (linux-lts - 6.12):

{{cmd|$ git checkout -b my-custom-kernel origin/3.22-stable}}

For Alpine Edge:

{{cmd|$ git checkout -b my-custom-kernel}}

Doing it this way, you do less work in maintaining. All you need to do is keep ''master'' or ''3.22-stable'' in sync[https://help.github.com/articles/syncing-a-fork/][https://help.github.com/articles/configuring-a-remote-for-a-fork/] and merge any conflicts.

First switch to the branch by doing
<code>git checkout my-custom-kernel</code>.
Then, you need to navigate to the {{path|main/linux-lts}} folder where you should see a APKBUILD and some config- files.

You may want to change APKBUILD to change the name of your kernel and package (custom flavor or revision) and comment out or remove lines with config files that are not for your cpu architectures or virt* configs that are for virtualized environments.(They provide optimized kernel configurations for running Alpine as a guest in virtual machines.)
Setting custom name/flavor will prevent overriding your default ''linux-lts'' kernel modules and commenting out unused configs will speed up the process of applying kernel patches by applying it for your architecture only. (Obviously ARCH in the following example is whatever architecture (x86, x86_64, ...) you use.)

<pre>
_flavor=lts-custom
pkgname=linux-$_flavor
pkgrel=0
pkgdesc="Linux ${_flavor} kernel (optimized)"
</pre>

When you are done with your edits to the APKBUILD file copy your config from {{path|lts.ARCH.config}} to {{path|.config}}. You can then move {{path|.config}} back overriding the {{path|lts.ARCH.config}} generated by <code>make localmodconfig</code> or <code>make menuconfig</code> (discussed below in the ''Configuring kernel'' section). After generating your config, you need to run <code>abuild checksum</code>.

Then add your changes, eg <code>git add APKBUILD lts.ARCH.config</code>.
And commit <code>git commit APKBUILD lts.ARCH.config -m "Enabled these options ...."</code> for your customization the '''ARCH'''itecture of your system. You do this so that git can keep your code separate from Alpine's and so your changes float forward between kernel updates.

== Adding custom patches ==

Custom patches should be added to ''sources=''.

After you added the URL, you need to produce a checksum by doing <code>abuild checksum</code>.

The custom patches may not be autopatched, due to being distributed as an archive or different patch level, so you need to define what to do with it in the prepare().

== Configuring kernel ==

Attempt to create a config for your currently running system and modules first.

To create a kernel config based on your currently running PC, use:
<code>make localmodconfig</code>
This command reads your current kernel's configuration from /proc/config.gz (if available) or /boot/config-* and creates a .config file that includes only the modules currently loaded on your system. This results in a minimal configuration tailored to your hardware.
Alternatively, you can use:
<code>make localyesconfig</code>
This is similar to ''localmodconfig'', but instead of building features as modules (m), it builds them directly into the kernel (y), which can result in a larger kernel image but eliminates the need for separate module files.
Note: Before running either command, make sure you have all the hardware you want to support actively in use (USB devices plugged in, network cards active, etc.) so their modules are loaded and included in the configuration.

The alternative is to use the kernel configuration menu in the build-NAME folder, but before you do that you need to <code>sudo apk add {{pkg|ncurses-dev}}</code>

After you are done using the menu in the build-NAME folder by doing <code>make menuconfig</code>, you want to remove <code>ncurses-dev</code>. When you are done, it will be stored in ''.config'' which you need to again override the {{path|lts.ARCH.config}} file. When you are done updating the {{path|config-NAME.ARCH}}, you need to do <code>abuild checksum</code>.

The options in the kernel config are typically defaults. If your device is old, it may be set to n by default.

=== Vanilla targets and tuning ===

{|cellpadding="5" border="1" class="wikitable"
!ARCH
!Processor Type / CPU Selection / System Type
!Code Generation / Instruction Extensions
!Timer Frequency
!Preemption Model
!Bitness
|-
|s390x
|IBM zEnterprise 114 and 196
|IBM zBC12 and zEC12 (<code>-march=zEC12 -mtune=zEC12</code>)
|1000 Hz
|No Forced Preemption (Server)
|64
|-
|ppc64le
|Server processors
|POWER8 (<code>-mcpu=power8</code>), AltiVec (<code>-Wa,-maltivec</code> to assembler or <code>-maltivec -mabi=altivec</code>), VSX
|1000 HZ
|No Forced Preemption (Server)
|64
|-
|ppc
|
512x/52xx/6xx/7xx/74xx/82xx/83xx/86xx
* Apple PowerMac based machines
|AltiVec (<code>-Wa,-maltivec</code> to assembler or <code>-maltivec -mabi=altivec</code>) on >=74xx
|1000 HZ
|No Forced Preemption (Server)
|32
|-
|x86_64
|Generic-x86-64
|(-mtune=generic ; SIMD assembly modules enabled based on simple compile test and/or presence of CPU flag)
|1000 HZ
|Voluntary Kernel Preemption (Desktop)
|64
|-
|x86
|586/K5/5x86/6x86/6x86MX
|(-mtune=generic ; SIMD assembly modules enabled based on simple compile test and/or presence of CPU flag)
|1000 HZ
|Voluntary Kernel Preemption (Desktop)
|32
|-
|armv7
|
* ARMv7 based platforms (Cortex-A, PJ4, Scorpion, Krait)
* Freescale i.MX family -- Cortex A (i.MX51, i.MX53, i.MX6 Quad/DualLite, i.MX6 SoloLite, i.MX6 SoloX, i.MX6 UltraLite, i.MX7 Dual)
* Qualcomm -- (MSM8X60, MSM8960, MSM8974)
* Allwinner SoCs -- (A10 (sun4i), A10s / A13 (sun5i), A31 (sun6i), A20 (sun7i), sun8i Family, (sun9i))
* ARM Ldt Versatile Express family --
|Either <code>-march=armv7-a</code> or <code>-march=armv5t -Wa,-march=armv7-a</code> based on a compile test. <code>-mfpu=vfp</code>
|1000 Hz
|Voluntary Kernel Preemption (Desktop)
|32
|-
|aarch64
|
* Allwinner sunxi 64-bit SoC Family
* Broadcom BCM2835 family
* Marvell Berlin SoC Family
* ARMv8 based Samsung Exynos SoC family
* ARMv8 based Freescale Layerscape SoC family
* Hisilicon SoC Family
* Mediatek MT65xx & MT81xx ARMv8 SoC
* Marvell EBU SoC Family
* Qualcomm Platforms
* Rockchip Platforms
* AMD Seattle SoC Family
* Altera's Stratix 10 SoCFPGA Family
* NVIDIA Tegra SoC Family
* Spreadtrum SoC platform
* Cavium Inc. Thunder SoC Family
* ARMv8 software model (Versatile Express)
* AppliedMicro X-Gene SOC Family
* Xilinx ZynqMP Family
|
|1000 HZ
|Voluntary Kernel Preemption (Desktop)
|64
|-
|}
If you do desktop multitasking, you may want to switch to Voluntary Kernel Preemption (Desktop) or Preemptible Kernel (Low-Latency Desktop) and up the Timer Frequency. If you run a dedicated render farm node or a dedicated bitcoin miner use No Forced Preemption (Server) and decrease the Timer Frequency.

Optimized modules (most are already compiled as modules):
* raid6 -- altivec, avx512, ssse3, avx2, mmx, sse, sse2, neon
* some operations of raid5 -- mmx (32 bit), sse (64 bit), avx
For Kernel API:
* 32-bit memcpy -- 3dnow
* 32-bit memory page clearing and copying -- sse (Athlon/K7 only), mmx
From x86/crypto, arm/crypto, powerpc/crypto:
* CAMELLIA -- avx2, avx, aes-ni
* CHACHA20 -- avx2, neon
* CAST5 -- avx
* CAST6 -- avx
* TWOFISH -- avx
* SERPENT -- avx2, avx, sse2
* SHA1 -- avx2, ssse3, neon, spe
* SHA2 -- avx2
* SHA256 -- ssse3, neon, spe
* SHA512 -- avx2, ssse3, neon
* POLY1305 -- avx2
* GHASH -- pclmulqdq (part of aes-ni), vmx (power8)
* AES -- aes-ni, neon, vmx (power8), spe
* CRC32 -- pclmulqdq, sse, neon, vmx (power8)
* CRCT10DIF -- pclmulqdq, sse, neon, vmx (power8)

=== Fast reboots with kexec ===
{{main|kexec}}

If you want to reboot the kernel fast avoiding the POST test, you need {{ic|doas apk add {{pkg|kexec-tools}}}} and enable kexec in the kernel:

Processor type and features
[*] kexec system call

=== Hibernation to prevent data loss ===

Power management and ACPI options
[*] Hibernation (aka 'suspend to disk')

Hibernation should be used if you have a laptop. You don't want the laptop to suddenly shut off resulting in data loss, you want it to save your work based on a percentage of battery life (this requires special script). When hibernation resumes, should lock and ask for credentials. Depending on your needs, the hibernated image can be encrypted/decrypted which again requires additional customization to scripts.

Hibernation with an unsanitized swap file is generally insecure because data and unlocked memory pages are swapped out in plaintext. To increase the security either disable swap or use an encrypted swap. The swap file/partition is typically used as the hibernation resume image.

== Building ==

Before building, make sure you have ccache installed. This should reduce compile time on multiple builds.
You may also want to read up on compile flags - perhaps you want your build to be optimized for speed (or size which is the default).
Review <code>/etc/abuild.conf</code> and set:
<code>
PACKAGER_PRIVKEY="/home/MY_USER_HERE/.abuild/my-email@mydomain.com-ID.rsa"
USE_CCACHE=1
</code>

If you have your config ready, first try building with <code>abuild -rK</code> which install most of the dependencies and keep buildtime temp dirs and files (srcdir/pkgdir/deps).

If it complains about a dependency like {{pkg|elfutils-dev}} use <code>-rKd</code>.
Then, when it prompts for values for new found config options just hold enter till it starts compiling the kernel.
Unless you removed or commented out <code>virt.*.config</code> configs
there should be two sets one for -lts and the other for the -virt.
Just {{Key|Ctrl}}+{{Key|C}} out of the compilation process after
the second set so you can further customize the config.
Then you go into the {{path|src/linux-VER}} and edit the config file.
Copy the {{path|.config}} file overriding the {{path|lts.ARCH.config}} in the srcdir.

== Installing ==

To install it you do a {{ic|doas apk add linux-NAME}} where NAME is your custom kernel name.

== Testing ==

Before you test, you should install the lts kernel too, using <code>apk add {{pkg|linux-lts}}</code>. You may be missing a module and can't boot, so you use the other kernel as the fallback boot kernel.

Normally during the installation using with ''apk'' there are tools that will update initramfs and a boot loader automatically for you. For easier debugging you may want to change boot loader config and remove <code>quiet</code> from linux command line in <code>/etc/default/grub</code> or <code>/etc/update-extlinux.conf</code>.
Or perhaps you want to change other kernel options in <code>/etc/mkinitfs/mkinitfs.conf</code> - please remember to generate initramfs and update your bootloader manually, eg:
<code>
# mkinitfs
# grub-mkconfig -o /boot/grub/grub.cfg
</code>

To test, first you should make a bootable Alpine USB image. Then, when you have your rescue USB done, you <code>reboot</code> the computer.

To test it, you basically do trial and error. Sometimes your config is missing something if you want to have a bare minimum setting.

If you are curious about correctness testing, some kernel modules or components do preform self tests at the beginning of the boot process. The tools may have test suites that you run with the make command.

== See Also ==
* [https://wiki.archlinux.org/title/Kernel Archwiki Kernels]
* [https://wiki.gentoo.org/wiki/Kernel Gentoo Wiki Kernel]
* [https://wiki.gentoo.org/wiki/Kernel/Configuration Gentoo Wiki Kernel Configuration]
* [[How to build the Alpine Linux kernel]]

[[Category:Kernel]]

Custom Kernel

2025-11-02T20:00:52Z

Pawciobiel: add example about flavor

{{Draft}}

This process of building a '''custom configured kernel''' assumes you are running on Alpine Linux utilizing abuild & aports.

== But why? ==

You want to build a custom kernel to enable experimental hardware or features or outdated hardware, to reduce bloat further, to tune the kernel to the hardware.

The lts kernel for most Alpine ARCHs uses defaults to balance throughput at the expense of some responsiveness, and support for many devices. You can tweak the kernel for desktop use and low latency and responsiveness.

You should disable modules to increase security. By default, Alpine will install modules but not disable most of them. Disabling modules will reduce an DMA attack but not eliminate it completely. If you have a newer processor with VT-d, you can mitigate as long as you:

Leave <code>CONFIG_INTEL_IOMMU_DEFAULT_ON=y</code> or pass <code>intel_iommu=on</code> as a kernel parameter and disable kernel logging so the attacker doesn't gain DMAR address information through dmesg.[https://blog.frizk.net/2016/11/disable-virtualization-based-security.html] Also remove references to the kernel version to calculate the IOMMU addresses.[https://link.springer.com/content/pdf/10.1186/s13173-017-0066-7.pdf]

You may also want to harden your kernel by adding at least some of the config changes recommended by <code>kernel-hardening-checker</code> [https://github.com/a13xp0p0v/kernel-hardening-checker/]

To increase the security of the boot process, if you have a TPM, you could set <code>CONFIG_INTEL_TXT=y</code> (Enable Intel(R) Trusted Execution Technology (Intel(R) TXT)) (which is not enabled in the hardened kernel by default), then you would need the SINIT module (provided only by Intel)[https://software.intel.com/en-us/articles/intel-trusted-execution-technology], a possibly compiled TrustedGrub2[https://github.com/Rohde-Schwarz-Cybersecurity/TrustedGRUB2], trousers[https://sourceforge.net/projects/trousers/?source=navbar], tboot[https://sourceforge.net/projects/tboot/]. These packages are not in aports and it is unknown if these tools work on musl. It's not recommended for Edge. Also, there would be trigger packages to generate hashes for the kernel and the mkinitfs updates.

== Setting up the Alpine Build System ==

First, you need to follow the steps in [[Creating_an_Alpine_package#Setup_your_system_and_account|Setup your system and account for building packages]]. You also need to configure your {{path|/etc/apk/repositories}} so that they search locally for your apks. See [[Creating_an_Alpine_package#Testing_the_package_locally|Testing the package locally]] for details.

After setting up accounts and repos, change your shell's current working directory to '''aports''' that you just cloned.

{{cmd|$ cd aports}}

== Working with aports ==

We will try using an existing lts kernel just tweaking the {{path|lts.ARCH.config}} file.

=== Switching to the proper release version ===

You need to switch to the proper branch that matches the release so that the kernel compiles against the dependencies properly.

{| cellpadding="5" border="1" class="wikitable"
|-
! Alpine version
! Remote branch
|-
| Edge
| master
|-
| 3.22.0
| 3.22-stable
|-
|}

The following is required to get access to the {{path|APKBUILD}} released for that version of Alpine and which you will create a commit for.

If you are on 3.22 do:

{{cmd|$ git checkout -b 3.22-stable origin/3.22-stable}}

If you are on Edge do:

{{cmd|$ git checkout master}}

=== Creating your config ===

You can use {{pkg|linux-lts}} but what you should do is create a local branch by doing:

For Alpine 3.22 (linux-lts - 6.12):

{{cmd|$ git checkout -b my-custom-kernel origin/3.22-stable}}

For Alpine Edge:

{{cmd|$ git checkout -b my-custom-kernel}}

Doing it this way, you do less work in maintaining. All you need to do is keep ''master'' or ''3.22-stable'' in sync[https://help.github.com/articles/syncing-a-fork/][https://help.github.com/articles/configuring-a-remote-for-a-fork/] and merge any conflicts.

First switch to the branch by doing
<code>git checkout my-custom-kernel</code>.
Then, you need to navigate to the {{path|main/linux-lts}} folder where you should see a APKBUILD and some config- files.

You may want to change APKBUILD to change the name of your kernel and package (custom flavor or revision) and comment out or remove lines with config files that are not for your cpu architectures or virt* configs that are for virtualized environments.(They provide optimized kernel configurations for running Alpine as a guest in virtual machines.)
Setting custom name/flavor will prevent overriding your default ''linux-lts'' kernel modules and commenting out unused configs will speed up the process of applying kernel patches by applying it for your architecture only. (Obviously ARCH in the following example is whatever architecture (x86, x86_64, ...) you use.)

<code>
_flavor=lts-custom
pkgname=linux-$_flavor
pkgrel=0
pkgdesc="Linux ${_flavor} kernel (optimized)"
</code>

When you are done with your edits to the APKBUILD file copy your config from {{path|lts.ARCH.config}} to {{path|.config}}. You can then move {{path|.config}} back overriding the {{path|lts.ARCH.config}} generated by <code>make localmodconfig</code> or <code>make menuconfig</code> (discussed below in the ''Configuring kernel'' section). After generating your config, you need to run <code>abuild checksum</code>.

Then add your changes, eg <code>git add APKBUILD lts.ARCH.config</code>.
And commit <code>git commit APKBUILD lts.ARCH.config -m "Enabled these options ...."</code> for your customization the '''ARCH'''itecture of your system. You do this so that git can keep your code separate from Alpine's and so your changes float forward between kernel updates.

== Adding custom patches ==

Custom patches should be added to ''sources=''.

After you added the URL, you need to produce a checksum by doing <code>abuild checksum</code>.

The custom patches may not be autopatched, due to being distributed as an archive or different patch level, so you need to define what to do with it in the prepare().

== Configuring kernel ==

Attempt to create a config for your currently running system and modules first.

To create a kernel config based on your currently running PC, use:
<code>make localmodconfig</code>
This command reads your current kernel's configuration from /proc/config.gz (if available) or /boot/config-* and creates a .config file that includes only the modules currently loaded on your system. This results in a minimal configuration tailored to your hardware.
Alternatively, you can use:
<code>make localyesconfig</code>
This is similar to ''localmodconfig'', but instead of building features as modules (m), it builds them directly into the kernel (y), which can result in a larger kernel image but eliminates the need for separate module files.
Note: Before running either command, make sure you have all the hardware you want to support actively in use (USB devices plugged in, network cards active, etc.) so their modules are loaded and included in the configuration.

The alternative is to use the kernel configuration menu in the build-NAME folder, but before you do that you need to <code>sudo apk add {{pkg|ncurses-dev}}</code>

After you are done using the menu in the build-NAME folder by doing <code>make menuconfig</code>, you want to remove <code>ncurses-dev</code>. When you are done, it will be stored in ''.config'' which you need to again override the {{path|lts.ARCH.config}} file. When you are done updating the {{path|config-NAME.ARCH}}, you need to do <code>abuild checksum</code>.

The options in the kernel config are typically defaults. If your device is old, it may be set to n by default.

=== Vanilla targets and tuning ===

{|cellpadding="5" border="1" class="wikitable"
!ARCH
!Processor Type / CPU Selection / System Type
!Code Generation / Instruction Extensions
!Timer Frequency
!Preemption Model
!Bitness
|-
|s390x
|IBM zEnterprise 114 and 196
|IBM zBC12 and zEC12 (<code>-march=zEC12 -mtune=zEC12</code>)
|1000 Hz
|No Forced Preemption (Server)
|64
|-
|ppc64le
|Server processors
|POWER8 (<code>-mcpu=power8</code>), AltiVec (<code>-Wa,-maltivec</code> to assembler or <code>-maltivec -mabi=altivec</code>), VSX
|1000 HZ
|No Forced Preemption (Server)
|64
|-
|ppc
|
512x/52xx/6xx/7xx/74xx/82xx/83xx/86xx
* Apple PowerMac based machines
|AltiVec (<code>-Wa,-maltivec</code> to assembler or <code>-maltivec -mabi=altivec</code>) on >=74xx
|1000 HZ
|No Forced Preemption (Server)
|32
|-
|x86_64
|Generic-x86-64
|(-mtune=generic ; SIMD assembly modules enabled based on simple compile test and/or presence of CPU flag)
|1000 HZ
|Voluntary Kernel Preemption (Desktop)
|64
|-
|x86
|586/K5/5x86/6x86/6x86MX
|(-mtune=generic ; SIMD assembly modules enabled based on simple compile test and/or presence of CPU flag)
|1000 HZ
|Voluntary Kernel Preemption (Desktop)
|32
|-
|armv7
|
* ARMv7 based platforms (Cortex-A, PJ4, Scorpion, Krait)
* Freescale i.MX family -- Cortex A (i.MX51, i.MX53, i.MX6 Quad/DualLite, i.MX6 SoloLite, i.MX6 SoloX, i.MX6 UltraLite, i.MX7 Dual)
* Qualcomm -- (MSM8X60, MSM8960, MSM8974)
* Allwinner SoCs -- (A10 (sun4i), A10s / A13 (sun5i), A31 (sun6i), A20 (sun7i), sun8i Family, (sun9i))
* ARM Ldt Versatile Express family --
|Either <code>-march=armv7-a</code> or <code>-march=armv5t -Wa,-march=armv7-a</code> based on a compile test. <code>-mfpu=vfp</code>
|1000 Hz
|Voluntary Kernel Preemption (Desktop)
|32
|-
|aarch64
|
* Allwinner sunxi 64-bit SoC Family
* Broadcom BCM2835 family
* Marvell Berlin SoC Family
* ARMv8 based Samsung Exynos SoC family
* ARMv8 based Freescale Layerscape SoC family
* Hisilicon SoC Family
* Mediatek MT65xx & MT81xx ARMv8 SoC
* Marvell EBU SoC Family
* Qualcomm Platforms
* Rockchip Platforms
* AMD Seattle SoC Family
* Altera's Stratix 10 SoCFPGA Family
* NVIDIA Tegra SoC Family
* Spreadtrum SoC platform
* Cavium Inc. Thunder SoC Family
* ARMv8 software model (Versatile Express)
* AppliedMicro X-Gene SOC Family
* Xilinx ZynqMP Family
|
|1000 HZ
|Voluntary Kernel Preemption (Desktop)
|64
|-
|}
If you do desktop multitasking, you may want to switch to Voluntary Kernel Preemption (Desktop) or Preemptible Kernel (Low-Latency Desktop) and up the Timer Frequency. If you run a dedicated render farm node or a dedicated bitcoin miner use No Forced Preemption (Server) and decrease the Timer Frequency.

Optimized modules (most are already compiled as modules):
* raid6 -- altivec, avx512, ssse3, avx2, mmx, sse, sse2, neon
* some operations of raid5 -- mmx (32 bit), sse (64 bit), avx
For Kernel API:
* 32-bit memcpy -- 3dnow
* 32-bit memory page clearing and copying -- sse (Athlon/K7 only), mmx
From x86/crypto, arm/crypto, powerpc/crypto:
* CAMELLIA -- avx2, avx, aes-ni
* CHACHA20 -- avx2, neon
* CAST5 -- avx
* CAST6 -- avx
* TWOFISH -- avx
* SERPENT -- avx2, avx, sse2
* SHA1 -- avx2, ssse3, neon, spe
* SHA2 -- avx2
* SHA256 -- ssse3, neon, spe
* SHA512 -- avx2, ssse3, neon
* POLY1305 -- avx2
* GHASH -- pclmulqdq (part of aes-ni), vmx (power8)
* AES -- aes-ni, neon, vmx (power8), spe
* CRC32 -- pclmulqdq, sse, neon, vmx (power8)
* CRCT10DIF -- pclmulqdq, sse, neon, vmx (power8)

=== Fast reboots with kexec ===
{{main|kexec}}

If you want to reboot the kernel fast avoiding the POST test, you need {{ic|doas apk add {{pkg|kexec-tools}}}} and enable kexec in the kernel:

Processor type and features
[*] kexec system call

=== Hibernation to prevent data loss ===

Power management and ACPI options
[*] Hibernation (aka 'suspend to disk')

Hibernation should be used if you have a laptop. You don't want the laptop to suddenly shut off resulting in data loss, you want it to save your work based on a percentage of battery life (this requires special script). When hibernation resumes, should lock and ask for credentials. Depending on your needs, the hibernated image can be encrypted/decrypted which again requires additional customization to scripts.

Hibernation with an unsanitized swap file is generally insecure because data and unlocked memory pages are swapped out in plaintext. To increase the security either disable swap or use an encrypted swap. The swap file/partition is typically used as the hibernation resume image.

== Building ==

Before building, make sure you have ccache installed. This should reduce compile time on multiple builds.
You may also want to read up on compile flags - perhaps you want your build to be optimized for speed (or size which is the default).
Review <code>/etc/abuild.conf</code> and set:
<code>
PACKAGER_PRIVKEY="/home/MY_USER_HERE/.abuild/my-email@mydomain.com-ID.rsa"
USE_CCACHE=1
</code>

If you have your config ready, first try building with <code>abuild -rK</code> which install most of the dependencies and keep buildtime temp dirs and files (srcdir/pkgdir/deps).

If it complains about a dependency like {{pkg|elfutils-dev}} use <code>-rKd</code>.
Then, when it prompts for values for new found config options just hold enter till it starts compiling the kernel.
Unless you removed or commented out <code>virt.*.config</code> configs
there should be two sets one for -lts and the other for the -virt.
Just {{Key|Ctrl}}+{{Key|C}} out of the compilation process after
the second set so you can further customize the config.
Then you go into the {{path|src/linux-VER}} and edit the config file.
Copy the {{path|.config}} file overriding the {{path|lts.ARCH.config}} in the srcdir.

== Installing ==

To install it you do a {{ic|doas apk add linux-NAME}} where NAME is your custom kernel name.

== Testing ==

Before you test, you should install the lts kernel too, using <code>apk add {{pkg|linux-lts}}</code>. You may be missing a module and can't boot, so you use the other kernel as the fallback boot kernel.

Normally during the installation using with ''apk'' there are tools that will update initramfs and a boot loader automatically for you. For easier debugging you may want to change boot loader config and remove <code>quiet</code> from linux command line in <code>/etc/default/grub</code> or <code>/etc/update-extlinux.conf</code>.
Or perhaps you want to change other kernel options in <code>/etc/mkinitfs/mkinitfs.conf</code> - please remember to generate initramfs and update your bootloader manually, eg:
<code>
# mkinitfs
# grub-mkconfig -o /boot/grub/grub.cfg
</code>

To test, first you should make a bootable Alpine USB image. Then, when you have your rescue USB done, you <code>reboot</code> the computer.

To test it, you basically do trial and error. Sometimes your config is missing something if you want to have a bare minimum setting.

If you are curious about correctness testing, some kernel modules or components do preform self tests at the beginning of the boot process. The tools may have test suites that you run with the make command.

== See Also ==
* [https://wiki.archlinux.org/title/Kernel Archwiki Kernels]
* [https://wiki.gentoo.org/wiki/Kernel Gentoo Wiki Kernel]
* [https://wiki.gentoo.org/wiki/Kernel/Configuration Gentoo Wiki Kernel Configuration]
* [[How to build the Alpine Linux kernel]]

[[Category:Kernel]]

Custom Kernel

2025-11-02T19:51:05Z

Pawciobiel: 3.17 -> 3.22

{{Draft}}

This process of building a '''custom configured kernel''' assumes you are running on Alpine Linux utilizing abuild & aports.

== But why? ==

You want to build a custom kernel to enable experimental hardware or features or outdated hardware, to reduce bloat further, to tune the kernel to the hardware.

The lts kernel for most Alpine ARCHs uses defaults to balance throughput at the expense of some responsiveness, and support for many devices. You can tweak the kernel for desktop use and low latency and responsiveness.

You should disable modules to increase security. By default, Alpine will install modules but not disable most of them. Disabling modules will reduce an DMA attack but not eliminate it completely. If you have a newer processor with VT-d, you can mitigate as long as you:

Leave <code>CONFIG_INTEL_IOMMU_DEFAULT_ON=y</code> or pass <code>intel_iommu=on</code> as a kernel parameter and disable kernel logging so the attacker doesn't gain DMAR address information through dmesg.[https://blog.frizk.net/2016/11/disable-virtualization-based-security.html] Also remove references to the kernel version to calculate the IOMMU addresses.[https://link.springer.com/content/pdf/10.1186/s13173-017-0066-7.pdf]

You may also want to harden your kernel by adding at least some of the config changes recommended by <code>kernel-hardening-checker</code> [https://github.com/a13xp0p0v/kernel-hardening-checker/]

To increase the security of the boot process, if you have a TPM, you could set <code>CONFIG_INTEL_TXT=y</code> (Enable Intel(R) Trusted Execution Technology (Intel(R) TXT)) (which is not enabled in the hardened kernel by default), then you would need the SINIT module (provided only by Intel)[https://software.intel.com/en-us/articles/intel-trusted-execution-technology], a possibly compiled TrustedGrub2[https://github.com/Rohde-Schwarz-Cybersecurity/TrustedGRUB2], trousers[https://sourceforge.net/projects/trousers/?source=navbar], tboot[https://sourceforge.net/projects/tboot/]. These packages are not in aports and it is unknown if these tools work on musl. It's not recommended for Edge. Also, there would be trigger packages to generate hashes for the kernel and the mkinitfs updates.

== Setting up the Alpine Build System ==

First, you need to follow the steps in [[Creating_an_Alpine_package#Setup_your_system_and_account|Setup your system and account for building packages]]. You also need to configure your {{path|/etc/apk/repositories}} so that they search locally for your apks. See [[Creating_an_Alpine_package#Testing_the_package_locally|Testing the package locally]] for details.

After setting up accounts and repos, change your shell's current working directory to '''aports''' that you just cloned.

{{cmd|$ cd aports}}

== Working with aports ==

We will try using an existing lts kernel just tweaking the {{path|lts.ARCH.config}} file.

=== Switching to the proper release version ===

You need to switch to the proper branch that matches the release so that the kernel compiles against the dependencies properly.

{| cellpadding="5" border="1" class="wikitable"
|-
! Alpine version
! Remote branch
|-
| Edge
| master
|-
| 3.22.0
| 3.22-stable
|-
|}

The following is required to get access to the {{path|APKBUILD}} released for that version of Alpine and which you will create a commit for.

If you are on 3.22 do:

{{cmd|$ git checkout -b 3.22-stable origin/3.22-stable}}

If you are on Edge do:

{{cmd|$ git checkout master}}

=== Creating your config ===

You can use {{pkg|linux-lts}} but what you should do is create a local branch by doing:

For Alpine 3.22 (linux-lts - 6.12):

{{cmd|$ git checkout -b my-custom-kernel origin/3.22-stable}}

For Alpine Edge:

{{cmd|$ git checkout -b my-custom-kernel}}

Doing it this way, you do less work in maintaining. All you need to do is keep ''master'' or ''3.22-stable'' in sync[https://help.github.com/articles/syncing-a-fork/][https://help.github.com/articles/configuring-a-remote-for-a-fork/] and merge any conflicts.

First switch to the branch by doing
<code>git checkout my-custom-kernel</code>.
Then, you need to navigate to the {{path|main/linux-lts}} folder where you should see a APKBUILD and some config- files.

You may want to change APKBUILD to change the name of your kernel and package (custom flavor or revision) and comment out or remove lines with config files that are not for your cpu architectures or virt* configs that are for virtualized environments.(They provide optimized kernel configurations for running Alpine as a guest in virtual machines.)
Setting custom name/flavor will prevent overriding your default ''linux-lts'' kernel modules and commenting out unused configs will speed up the process of applying kernel patches by applying it for your architecture only. (Obviously ARCH in the following example is whatever architecture (x86, x86_64, ...) you use.)

When you are done with your edits to the APKBUILD file copy it {{path|lts.ARCH.config}} to {{path|.config}}. You can then move the {{path|.config}} back overriding the {{path|lts.ARCH.config}} generated by <code>make localmodconfig</code> or <code>make menuconfig</code> (discussed below in the ''Configuring kernel'' section). After generating your config, you need to run <code>abuild checksum</code>.
Then add your changes, eg <code>git add APKBUILD lts.ARCH.config</code>.
And commit <code>git commit APKBUILD config-NAME.ARCH -m "Enabled these options ...."</code> for your customization the '''ARCH'''itecture of your system. You do this so that git can keep your code separate from Alpine's and so your changes float forward between kernel updates.

== Adding custom patches ==

Custom patches should be added to ''sources=''.

After you added the URL, you need to produce a checksum by doing <code>abuild checksum</code>.

The custom patches may not be autopatched, due to being distributed as an archive or different patch level, so you need to define what to do with it in the prepare().

== Configuring kernel ==

Attempt to create a config for your currently running system and modules first.

To create a kernel config based on your currently running PC, use:
<code>make localmodconfig</code>
This command reads your current kernel's configuration from /proc/config.gz (if available) or /boot/config-* and creates a .config file that includes only the modules currently loaded on your system. This results in a minimal configuration tailored to your hardware.
Alternatively, you can use:
<code>make localyesconfig</code>
This is similar to ''localmodconfig'', but instead of building features as modules (m), it builds them directly into the kernel (y), which can result in a larger kernel image but eliminates the need for separate module files.
Note: Before running either command, make sure you have all the hardware you want to support actively in use (USB devices plugged in, network cards active, etc.) so their modules are loaded and included in the configuration.

The alternative is to use the kernel configuration menu in the build-NAME folder, but before you do that you need to <code>sudo apk add {{pkg|ncurses-dev}}</code>

After you are done using the menu in the build-NAME folder by doing <code>make menuconfig</code>, you want to remove <code>ncurses-dev</code>. When you are done, it will be stored in ''.config'' which you need to again override the {{path|lts.ARCH.config}} file. When you are done updating the {{path|config-NAME.ARCH}}, you need to do <code>abuild checksum</code>.

The options in the kernel config are typically defaults. If your device is old, it may be set to n by default.

=== Vanilla targets and tuning ===

{|cellpadding="5" border="1" class="wikitable"
!ARCH
!Processor Type / CPU Selection / System Type
!Code Generation / Instruction Extensions
!Timer Frequency
!Preemption Model
!Bitness
|-
|s390x
|IBM zEnterprise 114 and 196
|IBM zBC12 and zEC12 (<code>-march=zEC12 -mtune=zEC12</code>)
|1000 Hz
|No Forced Preemption (Server)
|64
|-
|ppc64le
|Server processors
|POWER8 (<code>-mcpu=power8</code>), AltiVec (<code>-Wa,-maltivec</code> to assembler or <code>-maltivec -mabi=altivec</code>), VSX
|1000 HZ
|No Forced Preemption (Server)
|64
|-
|ppc
|
512x/52xx/6xx/7xx/74xx/82xx/83xx/86xx
* Apple PowerMac based machines
|AltiVec (<code>-Wa,-maltivec</code> to assembler or <code>-maltivec -mabi=altivec</code>) on >=74xx
|1000 HZ
|No Forced Preemption (Server)
|32
|-
|x86_64
|Generic-x86-64
|(-mtune=generic ; SIMD assembly modules enabled based on simple compile test and/or presence of CPU flag)
|1000 HZ
|Voluntary Kernel Preemption (Desktop)
|64
|-
|x86
|586/K5/5x86/6x86/6x86MX
|(-mtune=generic ; SIMD assembly modules enabled based on simple compile test and/or presence of CPU flag)
|1000 HZ
|Voluntary Kernel Preemption (Desktop)
|32
|-
|armv7
|
* ARMv7 based platforms (Cortex-A, PJ4, Scorpion, Krait)
* Freescale i.MX family -- Cortex A (i.MX51, i.MX53, i.MX6 Quad/DualLite, i.MX6 SoloLite, i.MX6 SoloX, i.MX6 UltraLite, i.MX7 Dual)
* Qualcomm -- (MSM8X60, MSM8960, MSM8974)
* Allwinner SoCs -- (A10 (sun4i), A10s / A13 (sun5i), A31 (sun6i), A20 (sun7i), sun8i Family, (sun9i))
* ARM Ldt Versatile Express family --
|Either <code>-march=armv7-a</code> or <code>-march=armv5t -Wa,-march=armv7-a</code> based on a compile test. <code>-mfpu=vfp</code>
|1000 Hz
|Voluntary Kernel Preemption (Desktop)
|32
|-
|aarch64
|
* Allwinner sunxi 64-bit SoC Family
* Broadcom BCM2835 family
* Marvell Berlin SoC Family
* ARMv8 based Samsung Exynos SoC family
* ARMv8 based Freescale Layerscape SoC family
* Hisilicon SoC Family
* Mediatek MT65xx & MT81xx ARMv8 SoC
* Marvell EBU SoC Family
* Qualcomm Platforms
* Rockchip Platforms
* AMD Seattle SoC Family
* Altera's Stratix 10 SoCFPGA Family
* NVIDIA Tegra SoC Family
* Spreadtrum SoC platform
* Cavium Inc. Thunder SoC Family
* ARMv8 software model (Versatile Express)
* AppliedMicro X-Gene SOC Family
* Xilinx ZynqMP Family
|
|1000 HZ
|Voluntary Kernel Preemption (Desktop)
|64
|-
|}
If you do desktop multitasking, you may want to switch to Voluntary Kernel Preemption (Desktop) or Preemptible Kernel (Low-Latency Desktop) and up the Timer Frequency. If you run a dedicated render farm node or a dedicated bitcoin miner use No Forced Preemption (Server) and decrease the Timer Frequency.

Optimized modules (most are already compiled as modules):
* raid6 -- altivec, avx512, ssse3, avx2, mmx, sse, sse2, neon
* some operations of raid5 -- mmx (32 bit), sse (64 bit), avx
For Kernel API:
* 32-bit memcpy -- 3dnow
* 32-bit memory page clearing and copying -- sse (Athlon/K7 only), mmx
From x86/crypto, arm/crypto, powerpc/crypto:
* CAMELLIA -- avx2, avx, aes-ni
* CHACHA20 -- avx2, neon
* CAST5 -- avx
* CAST6 -- avx
* TWOFISH -- avx
* SERPENT -- avx2, avx, sse2
* SHA1 -- avx2, ssse3, neon, spe
* SHA2 -- avx2
* SHA256 -- ssse3, neon, spe
* SHA512 -- avx2, ssse3, neon
* POLY1305 -- avx2
* GHASH -- pclmulqdq (part of aes-ni), vmx (power8)
* AES -- aes-ni, neon, vmx (power8), spe
* CRC32 -- pclmulqdq, sse, neon, vmx (power8)
* CRCT10DIF -- pclmulqdq, sse, neon, vmx (power8)

=== Fast reboots with kexec ===
{{main|kexec}}

If you want to reboot the kernel fast avoiding the POST test, you need {{ic|doas apk add {{pkg|kexec-tools}}}} and enable kexec in the kernel:

Processor type and features
[*] kexec system call

=== Hibernation to prevent data loss ===

Power management and ACPI options
[*] Hibernation (aka 'suspend to disk')

Hibernation should be used if you have a laptop. You don't want the laptop to suddenly shut off resulting in data loss, you want it to save your work based on a percentage of battery life (this requires special script). When hibernation resumes, should lock and ask for credentials. Depending on your needs, the hibernated image can be encrypted/decrypted which again requires additional customization to scripts.

Hibernation with an unsanitized swap file is generally insecure because data and unlocked memory pages are swapped out in plaintext. To increase the security either disable swap or use an encrypted swap. The swap file/partition is typically used as the hibernation resume image.

== Building ==

Before building, make sure you have ccache installed. This should reduce compile time on multiple builds.
You may also want to read up on compile flags - perhaps you want your build to be optimized for speed (or size which is the default).
Review <code>/etc/abuild.conf</code> and set:
<code>
PACKAGER_PRIVKEY="/home/MY_USER_HERE/.abuild/my-email@mydomain.com-ID.rsa"
USE_CCACHE=1
</code>

If you have your config ready, first try building with <code>abuild -rK</code> which install most of the dependencies and keep buildtime temp dirs and files (srcdir/pkgdir/deps).

If it complains about a dependency like {{pkg|elfutils-dev}} use <code>-rKd</code>.
Then, when it prompts for values for new found config options just hold enter till it starts compiling the kernel.
Unless you removed or commented out <code>virt.*.config</code> configs
there should be two sets one for -lts and the other for the -virt.
Just {{Key|Ctrl}}+{{Key|C}} out of the compilation process after
the second set so you can further customize the config.
Then you go into the {{path|src/linux-VER}} and edit the config file.
Copy the {{path|.config}} file overriding the {{path|lts.ARCH.config}} in the srcdir.

== Installing ==

To install it you do a {{ic|doas apk add linux-NAME}} where NAME is your custom kernel name.

== Testing ==

Before you test, you should install the lts kernel too, using <code>apk add {{pkg|linux-lts}}</code>. You may be missing a module and can't boot, so you use the other kernel as the fallback boot kernel.

Normally during the installation using with ''apk'' there are tools that will update initramfs and a boot loader automatically for you. For easier debugging you may want to change boot loader config and remove <code>quiet</code> from linux command line in <code>/etc/default/grub</code> or <code>/etc/update-extlinux.conf</code>.
Or perhaps you want to change other kernel options in <code>/etc/mkinitfs/mkinitfs.conf</code> - please remember to generate initramfs and update your bootloader manually, eg:
<code>
# mkinitfs
# grub-mkconfig -o /boot/grub/grub.cfg
</code>

To test, first you should make a bootable Alpine USB image. Then, when you have your rescue USB done, you <code>reboot</code> the computer.

To test it, you basically do trial and error. Sometimes your config is missing something if you want to have a bare minimum setting.

If you are curious about correctness testing, some kernel modules or components do preform self tests at the beginning of the boot process. The tools may have test suites that you run with the make command.

== See Also ==
* [https://wiki.archlinux.org/title/Kernel Archwiki Kernels]
* [https://wiki.gentoo.org/wiki/Kernel Gentoo Wiki Kernel]
* [https://wiki.gentoo.org/wiki/Kernel/Configuration Gentoo Wiki Kernel Configuration]
* [[How to build the Alpine Linux kernel]]

[[Category:Kernel]]

Custom Kernel

2025-11-02T19:47:57Z

Pawciobiel: reword and add info about virt configs

{{Draft}}

This process of building a '''custom configured kernel''' assumes you are running on Alpine Linux utilizing abuild & aports.

== But why? ==

You want to build a custom kernel to enable experimental hardware or features or outdated hardware, to reduce bloat further, to tune the kernel to the hardware.

The lts kernel for most Alpine ARCHs uses defaults to balance throughput at the expense of some responsiveness, and support for many devices. You can tweak the kernel for desktop use and low latency and responsiveness.

You should disable modules to increase security. By default, Alpine will install modules but not disable most of them. Disabling modules will reduce an DMA attack but not eliminate it completely. If you have a newer processor with VT-d, you can mitigate as long as you:

Leave <code>CONFIG_INTEL_IOMMU_DEFAULT_ON=y</code> or pass <code>intel_iommu=on</code> as a kernel parameter and disable kernel logging so the attacker doesn't gain DMAR address information through dmesg.[https://blog.frizk.net/2016/11/disable-virtualization-based-security.html] Also remove references to the kernel version to calculate the IOMMU addresses.[https://link.springer.com/content/pdf/10.1186/s13173-017-0066-7.pdf]

You may also want to harden your kernel by adding at least some of the config changes recommended by <code>kernel-hardening-checker</code> [https://github.com/a13xp0p0v/kernel-hardening-checker/]

To increase the security of the boot process, if you have a TPM, you could set <code>CONFIG_INTEL_TXT=y</code> (Enable Intel(R) Trusted Execution Technology (Intel(R) TXT)) (which is not enabled in the hardened kernel by default), then you would need the SINIT module (provided only by Intel)[https://software.intel.com/en-us/articles/intel-trusted-execution-technology], a possibly compiled TrustedGrub2[https://github.com/Rohde-Schwarz-Cybersecurity/TrustedGRUB2], trousers[https://sourceforge.net/projects/trousers/?source=navbar], tboot[https://sourceforge.net/projects/tboot/]. These packages are not in aports and it is unknown if these tools work on musl. It's not recommended for Edge. Also, there would be trigger packages to generate hashes for the kernel and the mkinitfs updates.

== Setting up the Alpine Build System ==

First, you need to follow the steps in [[Creating_an_Alpine_package#Setup_your_system_and_account|Setup your system and account for building packages]]. You also need to configure your {{path|/etc/apk/repositories}} so that they search locally for your apks. See [[Creating_an_Alpine_package#Testing_the_package_locally|Testing the package locally]] for details.

After setting up accounts and repos, change your shell's current working directory to '''aports''' that you just cloned.

{{cmd|$ cd aports}}

== Working with aports ==

We will try using an existing lts kernel just tweaking the {{path|lts.ARCH.config}} file.

=== Switching to the proper release version ===

You need to switch to the proper branch that matches the release so that the kernel compiles against the dependencies properly.

{| cellpadding="5" border="1" class="wikitable"
|-
! Alpine version
! Remote branch
|-
| Edge
| master
|-
| 3.17.0
| 3.17-stable
|-
|}

The following is required to get access to the {{path|APKBUILD}} released for that version of Alpine and which you will create a commit for.

If you are on 3.17 do:

{{cmd|$ git checkout -b 3.17-stable origin/3.17-stable}}

If you are on Edge do:

{{cmd|$ git checkout master}}

=== Creating your config ===

You can use {{pkg|linux-lts}} but what you should do is create a local branch by doing:

For Alpine 3.22 (linux-lts - 6.12):

{{cmd|$ git checkout -b my-custom-kernel origin/3.22-stable}}

For Alpine Edge:

{{cmd|$ git checkout -b my-custom-kernel}}

Doing it this way, you do less work in maintaining. All you need to do is keep ''master'' or ''3.22-stable'' in sync[https://help.github.com/articles/syncing-a-fork/][https://help.github.com/articles/configuring-a-remote-for-a-fork/] and merge any conflicts.

First switch to the branch by doing
<code>git checkout my-custom-kernel</code>.
Then, you need to navigate to the {{path|main/linux-lts}} folder where you should see a APKBUILD and some config- files.

You may want to change APKBUILD to change the name of your kernel and package (custom flavor or revision) and comment out or remove lines with config files that are not for your cpu architectures or virt* configs that are for virtualized environments.(They provide optimized kernel configurations for running Alpine as a guest in virtual machines.)
Setting custom name/flavor will prevent overriding your default ''linux-lts'' kernel modules and commenting out unused configs will speed up the process of applying kernel patches by applying it for your architecture only. (Obviously ARCH in the following example is whatever architecture (x86, x86_64, ...) you use.)

When you are done with your edits to the APKBUILD file copy it {{path|lts.ARCH.config}} to {{path|.config}}. You can then move the {{path|.config}} back overriding the {{path|lts.ARCH.config}} generated by <code>make localmodconfig</code> or <code>make menuconfig</code> (discussed below in the ''Configuring kernel'' section). After generating your config, you need to run <code>abuild checksum</code>.
Then add your changes, eg <code>git add APKBUILD lts.ARCH.config</code>.
And commit <code>git commit APKBUILD config-NAME.ARCH -m "Enabled these options ...."</code> for your customization the '''ARCH'''itecture of your system. You do this so that git can keep your code separate from Alpine's and so your changes float forward between kernel updates.

== Adding custom patches ==

Custom patches should be added to ''sources=''.

After you added the URL, you need to produce a checksum by doing <code>abuild checksum</code>.

The custom patches may not be autopatched, due to being distributed as an archive or different patch level, so you need to define what to do with it in the prepare().

== Configuring kernel ==

Attempt to create a config for your currently running system and modules first.

To create a kernel config based on your currently running PC, use:
<code>make localmodconfig</code>
This command reads your current kernel's configuration from /proc/config.gz (if available) or /boot/config-* and creates a .config file that includes only the modules currently loaded on your system. This results in a minimal configuration tailored to your hardware.
Alternatively, you can use:
<code>make localyesconfig</code>
This is similar to ''localmodconfig'', but instead of building features as modules (m), it builds them directly into the kernel (y), which can result in a larger kernel image but eliminates the need for separate module files.
Note: Before running either command, make sure you have all the hardware you want to support actively in use (USB devices plugged in, network cards active, etc.) so their modules are loaded and included in the configuration.

The alternative is to use the kernel configuration menu in the build-NAME folder, but before you do that you need to <code>sudo apk add {{pkg|ncurses-dev}}</code>

After you are done using the menu in the build-NAME folder by doing <code>make menuconfig</code>, you want to remove <code>ncurses-dev</code>. When you are done, it will be stored in ''.config'' which you need to again override the {{path|lts.ARCH.config}} file. When you are done updating the {{path|config-NAME.ARCH}}, you need to do <code>abuild checksum</code>.

The options in the kernel config are typically defaults. If your device is old, it may be set to n by default.

=== Vanilla targets and tuning ===

{|cellpadding="5" border="1" class="wikitable"
!ARCH
!Processor Type / CPU Selection / System Type
!Code Generation / Instruction Extensions
!Timer Frequency
!Preemption Model
!Bitness
|-
|s390x
|IBM zEnterprise 114 and 196
|IBM zBC12 and zEC12 (<code>-march=zEC12 -mtune=zEC12</code>)
|1000 Hz
|No Forced Preemption (Server)
|64
|-
|ppc64le
|Server processors
|POWER8 (<code>-mcpu=power8</code>), AltiVec (<code>-Wa,-maltivec</code> to assembler or <code>-maltivec -mabi=altivec</code>), VSX
|1000 HZ
|No Forced Preemption (Server)
|64
|-
|ppc
|
512x/52xx/6xx/7xx/74xx/82xx/83xx/86xx
* Apple PowerMac based machines
|AltiVec (<code>-Wa,-maltivec</code> to assembler or <code>-maltivec -mabi=altivec</code>) on >=74xx
|1000 HZ
|No Forced Preemption (Server)
|32
|-
|x86_64
|Generic-x86-64
|(-mtune=generic ; SIMD assembly modules enabled based on simple compile test and/or presence of CPU flag)
|1000 HZ
|Voluntary Kernel Preemption (Desktop)
|64
|-
|x86
|586/K5/5x86/6x86/6x86MX
|(-mtune=generic ; SIMD assembly modules enabled based on simple compile test and/or presence of CPU flag)
|1000 HZ
|Voluntary Kernel Preemption (Desktop)
|32
|-
|armv7
|
* ARMv7 based platforms (Cortex-A, PJ4, Scorpion, Krait)
* Freescale i.MX family -- Cortex A (i.MX51, i.MX53, i.MX6 Quad/DualLite, i.MX6 SoloLite, i.MX6 SoloX, i.MX6 UltraLite, i.MX7 Dual)
* Qualcomm -- (MSM8X60, MSM8960, MSM8974)
* Allwinner SoCs -- (A10 (sun4i), A10s / A13 (sun5i), A31 (sun6i), A20 (sun7i), sun8i Family, (sun9i))
* ARM Ldt Versatile Express family --
|Either <code>-march=armv7-a</code> or <code>-march=armv5t -Wa,-march=armv7-a</code> based on a compile test. <code>-mfpu=vfp</code>
|1000 Hz
|Voluntary Kernel Preemption (Desktop)
|32
|-
|aarch64
|
* Allwinner sunxi 64-bit SoC Family
* Broadcom BCM2835 family
* Marvell Berlin SoC Family
* ARMv8 based Samsung Exynos SoC family
* ARMv8 based Freescale Layerscape SoC family
* Hisilicon SoC Family
* Mediatek MT65xx & MT81xx ARMv8 SoC
* Marvell EBU SoC Family
* Qualcomm Platforms
* Rockchip Platforms
* AMD Seattle SoC Family
* Altera's Stratix 10 SoCFPGA Family
* NVIDIA Tegra SoC Family
* Spreadtrum SoC platform
* Cavium Inc. Thunder SoC Family
* ARMv8 software model (Versatile Express)
* AppliedMicro X-Gene SOC Family
* Xilinx ZynqMP Family
|
|1000 HZ
|Voluntary Kernel Preemption (Desktop)
|64
|-
|}
If you do desktop multitasking, you may want to switch to Voluntary Kernel Preemption (Desktop) or Preemptible Kernel (Low-Latency Desktop) and up the Timer Frequency. If you run a dedicated render farm node or a dedicated bitcoin miner use No Forced Preemption (Server) and decrease the Timer Frequency.

Optimized modules (most are already compiled as modules):
* raid6 -- altivec, avx512, ssse3, avx2, mmx, sse, sse2, neon
* some operations of raid5 -- mmx (32 bit), sse (64 bit), avx
For Kernel API:
* 32-bit memcpy -- 3dnow
* 32-bit memory page clearing and copying -- sse (Athlon/K7 only), mmx
From x86/crypto, arm/crypto, powerpc/crypto:
* CAMELLIA -- avx2, avx, aes-ni
* CHACHA20 -- avx2, neon
* CAST5 -- avx
* CAST6 -- avx
* TWOFISH -- avx
* SERPENT -- avx2, avx, sse2
* SHA1 -- avx2, ssse3, neon, spe
* SHA2 -- avx2
* SHA256 -- ssse3, neon, spe
* SHA512 -- avx2, ssse3, neon
* POLY1305 -- avx2
* GHASH -- pclmulqdq (part of aes-ni), vmx (power8)
* AES -- aes-ni, neon, vmx (power8), spe
* CRC32 -- pclmulqdq, sse, neon, vmx (power8)
* CRCT10DIF -- pclmulqdq, sse, neon, vmx (power8)

=== Fast reboots with kexec ===
{{main|kexec}}

If you want to reboot the kernel fast avoiding the POST test, you need {{ic|doas apk add {{pkg|kexec-tools}}}} and enable kexec in the kernel:

Processor type and features
[*] kexec system call

=== Hibernation to prevent data loss ===

Power management and ACPI options
[*] Hibernation (aka 'suspend to disk')

Hibernation should be used if you have a laptop. You don't want the laptop to suddenly shut off resulting in data loss, you want it to save your work based on a percentage of battery life (this requires special script). When hibernation resumes, should lock and ask for credentials. Depending on your needs, the hibernated image can be encrypted/decrypted which again requires additional customization to scripts.

Hibernation with an unsanitized swap file is generally insecure because data and unlocked memory pages are swapped out in plaintext. To increase the security either disable swap or use an encrypted swap. The swap file/partition is typically used as the hibernation resume image.

== Building ==

Before building, make sure you have ccache installed. This should reduce compile time on multiple builds.
You may also want to read up on compile flags - perhaps you want your build to be optimized for speed (or size which is the default).
Review <code>/etc/abuild.conf</code> and set:
<code>
PACKAGER_PRIVKEY="/home/MY_USER_HERE/.abuild/my-email@mydomain.com-ID.rsa"
USE_CCACHE=1
</code>

If you have your config ready, first try building with <code>abuild -rK</code> which install most of the dependencies and keep buildtime temp dirs and files (srcdir/pkgdir/deps).

If it complains about a dependency like {{pkg|elfutils-dev}} use <code>-rKd</code>.
Then, when it prompts for values for new found config options just hold enter till it starts compiling the kernel.
Unless you removed or commented out <code>virt.*.config</code> configs
there should be two sets one for -lts and the other for the -virt.
Just {{Key|Ctrl}}+{{Key|C}} out of the compilation process after
the second set so you can further customize the config.
Then you go into the {{path|src/linux-VER}} and edit the config file.
Copy the {{path|.config}} file overriding the {{path|lts.ARCH.config}} in the srcdir.

== Installing ==

To install it you do a {{ic|doas apk add linux-NAME}} where NAME is your custom kernel name.

== Testing ==

Before you test, you should install the lts kernel too, using <code>apk add {{pkg|linux-lts}}</code>. You may be missing a module and can't boot, so you use the other kernel as the fallback boot kernel.

Normally during the installation using with ''apk'' there are tools that will update initramfs and a boot loader automatically for you. For easier debugging you may want to change boot loader config and remove <code>quiet</code> from linux command line in <code>/etc/default/grub</code> or <code>/etc/update-extlinux.conf</code>.
Or perhaps you want to change other kernel options in <code>/etc/mkinitfs/mkinitfs.conf</code> - please remember to generate initramfs and update your bootloader manually, eg:
<code>
# mkinitfs
# grub-mkconfig -o /boot/grub/grub.cfg
</code>

To test, first you should make a bootable Alpine USB image. Then, when you have your rescue USB done, you <code>reboot</code> the computer.

To test it, you basically do trial and error. Sometimes your config is missing something if you want to have a bare minimum setting.

If you are curious about correctness testing, some kernel modules or components do preform self tests at the beginning of the boot process. The tools may have test suites that you run with the make command.

== See Also ==
* [https://wiki.archlinux.org/title/Kernel Archwiki Kernels]
* [https://wiki.gentoo.org/wiki/Kernel Gentoo Wiki Kernel]
* [https://wiki.gentoo.org/wiki/Kernel/Configuration Gentoo Wiki Kernel Configuration]
* [[How to build the Alpine Linux kernel]]

[[Category:Kernel]]

Custom Kernel

2025-11-02T19:43:48Z

Pawciobiel: Review and update building

{{Draft}}

This process of building a '''custom configured kernel''' assumes you are running on Alpine Linux utilizing abuild & aports.

== But why? ==

You want to build a custom kernel to enable experimental hardware or features or outdated hardware, to reduce bloat further, to tune the kernel to the hardware.

The lts kernel for most Alpine ARCHs uses defaults to balance throughput at the expense of some responsiveness, and support for many devices. You can tweak the kernel for desktop use and low latency and responsiveness.

You should disable modules to increase security. By default, Alpine will install modules but not disable most of them. Disabling modules will reduce an DMA attack but not eliminate it completely. If you have a newer processor with VT-d, you can mitigate as long as you:

Leave <code>CONFIG_INTEL_IOMMU_DEFAULT_ON=y</code> or pass <code>intel_iommu=on</code> as a kernel parameter and disable kernel logging so the attacker doesn't gain DMAR address information through dmesg.[https://blog.frizk.net/2016/11/disable-virtualization-based-security.html] Also remove references to the kernel version to calculate the IOMMU addresses.[https://link.springer.com/content/pdf/10.1186/s13173-017-0066-7.pdf]

You may also want to harden your kernel by adding at least some of the config changes recommended by <code>kernel-hardening-checker</code> [https://github.com/a13xp0p0v/kernel-hardening-checker/]

To increase the security of the boot process, if you have a TPM, you could set <code>CONFIG_INTEL_TXT=y</code> (Enable Intel(R) Trusted Execution Technology (Intel(R) TXT)) (which is not enabled in the hardened kernel by default), then you would need the SINIT module (provided only by Intel)[https://software.intel.com/en-us/articles/intel-trusted-execution-technology], a possibly compiled TrustedGrub2[https://github.com/Rohde-Schwarz-Cybersecurity/TrustedGRUB2], trousers[https://sourceforge.net/projects/trousers/?source=navbar], tboot[https://sourceforge.net/projects/tboot/]. These packages are not in aports and it is unknown if these tools work on musl. It's not recommended for Edge. Also, there would be trigger packages to generate hashes for the kernel and the mkinitfs updates.

== Setting up the Alpine Build System ==

First, you need to follow the steps in [[Creating_an_Alpine_package#Setup_your_system_and_account|Setup your system and account for building packages]]. You also need to configure your {{path|/etc/apk/repositories}} so that they search locally for your apks. See [[Creating_an_Alpine_package#Testing_the_package_locally|Testing the package locally]] for details.

After setting up accounts and repos, change your shell's current working directory to '''aports''' that you just cloned.

{{cmd|$ cd aports}}

== Working with aports ==

We will try using an existing lts kernel just tweaking the {{path|lts.ARCH.config}} file.

=== Switching to the proper release version ===

You need to switch to the proper branch that matches the release so that the kernel compiles against the dependencies properly.

{| cellpadding="5" border="1" class="wikitable"
|-
! Alpine version
! Remote branch
|-
| Edge
| master
|-
| 3.17.0
| 3.17-stable
|-
|}

The following is required to get access to the {{path|APKBUILD}} released for that version of Alpine and which you will create a commit for.

If you are on 3.17 do:

{{cmd|$ git checkout -b 3.17-stable origin/3.17-stable}}

If you are on Edge do:

{{cmd|$ git checkout master}}

=== Creating your config ===

You can use {{pkg|linux-lts}} but what you should do is create a local branch by doing:

For Alpine 3.22 (linux-lts - 6.12):

{{cmd|$ git checkout -b my-custom-kernel origin/3.22-stable}}

For Alpine Edge:

{{cmd|$ git checkout -b my-custom-kernel}}

Doing it this way, you do less work in maintaining. All you need to do is keep ''master'' or ''3.22-stable'' in sync[https://help.github.com/articles/syncing-a-fork/][https://help.github.com/articles/configuring-a-remote-for-a-fork/] and merge any conflicts.

First switch to the branch by doing
<code>git checkout my-custom-kernel</code>.
Then, you need to navigate to the {{path|main/linux-lts}} folder where you should see a APKBUILD and some config- files.

You may want to change APKBUILD to change the name of your kernel and package (custom flavor or revision) and comment out or remove lines with config files that are not for your cpu architectures. This will avoid overriding your default ''linux-lts'' kernel modules and speed up the process of applying kernel patches applying it for your arch only. (Obviously ARCH in the following example is whatever architecture (x86, x86_64, ...) you use.)

When you are done with your edits to the APKBUILD file copy it {{path|lts.ARCH.config}} to {{path|.config}}. You can then move the {{path|.config}} back overriding the {{path|lts.ARCH.config}} generated by <code>make localmodconfig</code> or <code>make menuconfig</code> (discussed below in the ''Configuring kernel'' section). After generating your config, you need to run <code>abuild checksum</code>.
Then add your changes, eg <code>git add APKBUILD lts.ARCH.config</code>.
And commit <code>git commit APKBUILD config-NAME.ARCH -m "Enabled these options ...."</code> for your customization the '''ARCH'''itecture of your system. You do this so that git can keep your code separate from Alpine's and so your changes float forward between kernel updates.

== Adding custom patches ==

Custom patches should be added to ''sources=''.

After you added the URL, you need to produce a checksum by doing <code>abuild checksum</code>.

The custom patches may not be autopatched, due to being distributed as an archive or different patch level, so you need to define what to do with it in the prepare().

== Configuring kernel ==

Attempt to create a config for your currently running system and modules first.

To create a kernel config based on your currently running PC, use:
<code>make localmodconfig</code>
This command reads your current kernel's configuration from /proc/config.gz (if available) or /boot/config-* and creates a .config file that includes only the modules currently loaded on your system. This results in a minimal configuration tailored to your hardware.
Alternatively, you can use:
<code>make localyesconfig</code>
This is similar to ''localmodconfig'', but instead of building features as modules (m), it builds them directly into the kernel (y), which can result in a larger kernel image but eliminates the need for separate module files.
Note: Before running either command, make sure you have all the hardware you want to support actively in use (USB devices plugged in, network cards active, etc.) so their modules are loaded and included in the configuration.

The alternative is to use the kernel configuration menu in the build-NAME folder, but before you do that you need to <code>sudo apk add {{pkg|ncurses-dev}}</code>

After you are done using the menu in the build-NAME folder by doing <code>make menuconfig</code>, you want to remove <code>ncurses-dev</code>. When you are done, it will be stored in ''.config'' which you need to again override the {{path|lts.ARCH.config}} file. When you are done updating the {{path|config-NAME.ARCH}}, you need to do <code>abuild checksum</code>.

The options in the kernel config are typically defaults. If your device is old, it may be set to n by default.

=== Vanilla targets and tuning ===

{|cellpadding="5" border="1" class="wikitable"
!ARCH
!Processor Type / CPU Selection / System Type
!Code Generation / Instruction Extensions
!Timer Frequency
!Preemption Model
!Bitness
|-
|s390x
|IBM zEnterprise 114 and 196
|IBM zBC12 and zEC12 (<code>-march=zEC12 -mtune=zEC12</code>)
|1000 Hz
|No Forced Preemption (Server)
|64
|-
|ppc64le
|Server processors
|POWER8 (<code>-mcpu=power8</code>), AltiVec (<code>-Wa,-maltivec</code> to assembler or <code>-maltivec -mabi=altivec</code>), VSX
|1000 HZ
|No Forced Preemption (Server)
|64
|-
|ppc
|
512x/52xx/6xx/7xx/74xx/82xx/83xx/86xx
* Apple PowerMac based machines
|AltiVec (<code>-Wa,-maltivec</code> to assembler or <code>-maltivec -mabi=altivec</code>) on >=74xx
|1000 HZ
|No Forced Preemption (Server)
|32
|-
|x86_64
|Generic-x86-64
|(-mtune=generic ; SIMD assembly modules enabled based on simple compile test and/or presence of CPU flag)
|1000 HZ
|Voluntary Kernel Preemption (Desktop)
|64
|-
|x86
|586/K5/5x86/6x86/6x86MX
|(-mtune=generic ; SIMD assembly modules enabled based on simple compile test and/or presence of CPU flag)
|1000 HZ
|Voluntary Kernel Preemption (Desktop)
|32
|-
|armv7
|
* ARMv7 based platforms (Cortex-A, PJ4, Scorpion, Krait)
* Freescale i.MX family -- Cortex A (i.MX51, i.MX53, i.MX6 Quad/DualLite, i.MX6 SoloLite, i.MX6 SoloX, i.MX6 UltraLite, i.MX7 Dual)
* Qualcomm -- (MSM8X60, MSM8960, MSM8974)
* Allwinner SoCs -- (A10 (sun4i), A10s / A13 (sun5i), A31 (sun6i), A20 (sun7i), sun8i Family, (sun9i))
* ARM Ldt Versatile Express family --
|Either <code>-march=armv7-a</code> or <code>-march=armv5t -Wa,-march=armv7-a</code> based on a compile test. <code>-mfpu=vfp</code>
|1000 Hz
|Voluntary Kernel Preemption (Desktop)
|32
|-
|aarch64
|
* Allwinner sunxi 64-bit SoC Family
* Broadcom BCM2835 family
* Marvell Berlin SoC Family
* ARMv8 based Samsung Exynos SoC family
* ARMv8 based Freescale Layerscape SoC family
* Hisilicon SoC Family
* Mediatek MT65xx & MT81xx ARMv8 SoC
* Marvell EBU SoC Family
* Qualcomm Platforms
* Rockchip Platforms
* AMD Seattle SoC Family
* Altera's Stratix 10 SoCFPGA Family
* NVIDIA Tegra SoC Family
* Spreadtrum SoC platform
* Cavium Inc. Thunder SoC Family
* ARMv8 software model (Versatile Express)
* AppliedMicro X-Gene SOC Family
* Xilinx ZynqMP Family
|
|1000 HZ
|Voluntary Kernel Preemption (Desktop)
|64
|-
|}
If you do desktop multitasking, you may want to switch to Voluntary Kernel Preemption (Desktop) or Preemptible Kernel (Low-Latency Desktop) and up the Timer Frequency. If you run a dedicated render farm node or a dedicated bitcoin miner use No Forced Preemption (Server) and decrease the Timer Frequency.

Optimized modules (most are already compiled as modules):
* raid6 -- altivec, avx512, ssse3, avx2, mmx, sse, sse2, neon
* some operations of raid5 -- mmx (32 bit), sse (64 bit), avx
For Kernel API:
* 32-bit memcpy -- 3dnow
* 32-bit memory page clearing and copying -- sse (Athlon/K7 only), mmx
From x86/crypto, arm/crypto, powerpc/crypto:
* CAMELLIA -- avx2, avx, aes-ni
* CHACHA20 -- avx2, neon
* CAST5 -- avx
* CAST6 -- avx
* TWOFISH -- avx
* SERPENT -- avx2, avx, sse2
* SHA1 -- avx2, ssse3, neon, spe
* SHA2 -- avx2
* SHA256 -- ssse3, neon, spe
* SHA512 -- avx2, ssse3, neon
* POLY1305 -- avx2
* GHASH -- pclmulqdq (part of aes-ni), vmx (power8)
* AES -- aes-ni, neon, vmx (power8), spe
* CRC32 -- pclmulqdq, sse, neon, vmx (power8)
* CRCT10DIF -- pclmulqdq, sse, neon, vmx (power8)

=== Fast reboots with kexec ===
{{main|kexec}}

If you want to reboot the kernel fast avoiding the POST test, you need {{ic|doas apk add {{pkg|kexec-tools}}}} and enable kexec in the kernel:

Processor type and features
[*] kexec system call

=== Hibernation to prevent data loss ===

Power management and ACPI options
[*] Hibernation (aka 'suspend to disk')

Hibernation should be used if you have a laptop. You don't want the laptop to suddenly shut off resulting in data loss, you want it to save your work based on a percentage of battery life (this requires special script). When hibernation resumes, should lock and ask for credentials. Depending on your needs, the hibernated image can be encrypted/decrypted which again requires additional customization to scripts.

Hibernation with an unsanitized swap file is generally insecure because data and unlocked memory pages are swapped out in plaintext. To increase the security either disable swap or use an encrypted swap. The swap file/partition is typically used as the hibernation resume image.

== Building ==

Before building, make sure you have ccache installed. This should reduce compile time on multiple builds.
You may also want to read up on compile flags - perhaps you want your build to be optimized for speed (or size which is the default).
Review <code>/etc/abuild.conf</code> and set:
<code>
PACKAGER_PRIVKEY="/home/MY_USER_HERE/.abuild/my-email@mydomain.com-ID.rsa"
USE_CCACHE=1
</code>

If you have your config ready, first try building with <code>abuild -rK</code> which install most of the dependencies and keep buildtime temp dirs and files (srcdir/pkgdir/deps).

If it complains about a dependency like {{pkg|elfutils-dev}} use <code>-rKd</code>.
Then, when it prompts for values for new found config options just hold enter till it starts compiling the kernel.
Unless you removed or commented out <code>virt.*.config</code> configs
there should be two sets one for -lts and the other for the -virt.
Just {{Key|Ctrl}}+{{Key|C}} out of the compilation process after
the second set so you can further customize the config.
Then you go into the {{path|src/linux-VER}} and edit the config file.
Copy the {{path|.config}} file overriding the {{path|lts.ARCH.config}} in the srcdir.

== Installing ==

To install it you do a {{ic|doas apk add linux-NAME}} where NAME is your custom kernel name.

== Testing ==

Before you test, you should install the lts kernel too, using <code>apk add {{pkg|linux-lts}}</code>. You may be missing a module and can't boot, so you use the other kernel as the fallback boot kernel.

Normally during the installation using with ''apk'' there are tools that will update initramfs and a boot loader automatically for you. For easier debugging you may want to change boot loader config and remove <code>quiet</code> from linux command line in <code>/etc/default/grub</code> or <code>/etc/update-extlinux.conf</code>.
Or perhaps you want to change other kernel options in <code>/etc/mkinitfs/mkinitfs.conf</code> - please remember to generate initramfs and update your bootloader manually, eg:
<code>
# mkinitfs
# grub-mkconfig -o /boot/grub/grub.cfg
</code>

To test, first you should make a bootable Alpine USB image. Then, when you have your rescue USB done, you <code>reboot</code> the computer.

To test it, you basically do trial and error. Sometimes your config is missing something if you want to have a bare minimum setting.

If you are curious about correctness testing, some kernel modules or components do preform self tests at the beginning of the boot process. The tools may have test suites that you run with the make command.

== See Also ==
* [https://wiki.archlinux.org/title/Kernel Archwiki Kernels]
* [https://wiki.gentoo.org/wiki/Kernel Gentoo Wiki Kernel]
* [https://wiki.gentoo.org/wiki/Kernel/Configuration Gentoo Wiki Kernel Configuration]
* [[How to build the Alpine Linux kernel]]

[[Category:Kernel]]

Custom Kernel

2025-11-02T19:28:49Z

Pawciobiel: update info about localmodconfig and move build related info to building

{{Draft}}

This process of building a '''custom configured kernel''' assumes you are running on Alpine Linux utilizing abuild & aports.

== But why? ==

You want to build a custom kernel to enable experimental hardware or features or outdated hardware, to reduce bloat further, to tune the kernel to the hardware.

The lts kernel for most Alpine ARCHs uses defaults to balance throughput at the expense of some responsiveness, and support for many devices. You can tweak the kernel for desktop use and low latency and responsiveness.

You should disable modules to increase security. By default, Alpine will install modules but not disable most of them. Disabling modules will reduce an DMA attack but not eliminate it completely. If you have a newer processor with VT-d, you can mitigate as long as you:

Leave <code>CONFIG_INTEL_IOMMU_DEFAULT_ON=y</code> or pass <code>intel_iommu=on</code> as a kernel parameter and disable kernel logging so the attacker doesn't gain DMAR address information through dmesg.[https://blog.frizk.net/2016/11/disable-virtualization-based-security.html] Also remove references to the kernel version to calculate the IOMMU addresses.[https://link.springer.com/content/pdf/10.1186/s13173-017-0066-7.pdf]

You may also want to harden your kernel by adding at least some of the config changes recommended by <code>kernel-hardening-checker</code> [https://github.com/a13xp0p0v/kernel-hardening-checker/]

To increase the security of the boot process, if you have a TPM, you could set <code>CONFIG_INTEL_TXT=y</code> (Enable Intel(R) Trusted Execution Technology (Intel(R) TXT)) (which is not enabled in the hardened kernel by default), then you would need the SINIT module (provided only by Intel)[https://software.intel.com/en-us/articles/intel-trusted-execution-technology], a possibly compiled TrustedGrub2[https://github.com/Rohde-Schwarz-Cybersecurity/TrustedGRUB2], trousers[https://sourceforge.net/projects/trousers/?source=navbar], tboot[https://sourceforge.net/projects/tboot/]. These packages are not in aports and it is unknown if these tools work on musl. It's not recommended for Edge. Also, there would be trigger packages to generate hashes for the kernel and the mkinitfs updates.

== Setting up the Alpine Build System ==

First, you need to follow the steps in [[Creating_an_Alpine_package#Setup_your_system_and_account|Setup your system and account for building packages]]. You also need to configure your {{path|/etc/apk/repositories}} so that they search locally for your apks. See [[Creating_an_Alpine_package#Testing_the_package_locally|Testing the package locally]] for details.

After setting up accounts and repos, change your shell's current working directory to '''aports''' that you just cloned.

{{cmd|$ cd aports}}

== Working with aports ==

We will try using an existing lts kernel just tweaking the {{path|lts.ARCH.config}} file.

=== Switching to the proper release version ===

You need to switch to the proper branch that matches the release so that the kernel compiles against the dependencies properly.

{| cellpadding="5" border="1" class="wikitable"
|-
! Alpine version
! Remote branch
|-
| Edge
| master
|-
| 3.17.0
| 3.17-stable
|-
|}

The following is required to get access to the {{path|APKBUILD}} released for that version of Alpine and which you will create a commit for.

If you are on 3.17 do:

{{cmd|$ git checkout -b 3.17-stable origin/3.17-stable}}

If you are on Edge do:

{{cmd|$ git checkout master}}

=== Creating your config ===

You can use {{pkg|linux-lts}} but what you should do is create a local branch by doing:

For Alpine 3.22 (linux-lts - 6.12):

{{cmd|$ git checkout -b my-custom-kernel origin/3.22-stable}}

For Alpine Edge:

{{cmd|$ git checkout -b my-custom-kernel}}

Doing it this way, you do less work in maintaining. All you need to do is keep ''master'' or ''3.22-stable'' in sync[https://help.github.com/articles/syncing-a-fork/][https://help.github.com/articles/configuring-a-remote-for-a-fork/] and merge any conflicts.

First switch to the branch by doing
<code>git checkout my-custom-kernel</code>.
Then, you need to navigate to the {{path|main/linux-lts}} folder where you should see a APKBUILD and some config- files.

You may want to change APKBUILD to change the name of your kernel and package (custom flavor or revision) and comment out or remove lines with config files that are not for your cpu architectures. This will avoid overriding your default ''linux-lts'' kernel modules and speed up the process of applying kernel patches applying it for your arch only. (Obviously ARCH in the following example is whatever architecture (x86, x86_64, ...) you use.)

When you are done with your edits to the APKBUILD file copy it {{path|lts.ARCH.config}} to {{path|.config}}. You can then move the {{path|.config}} back overriding the {{path|lts.ARCH.config}} generated by <code>make localmodconfig</code> or <code>make menuconfig</code> (discussed below in the ''Configuring kernel'' section). After generating your config, you need to run <code>abuild checksum</code>.
Then add your changes, eg <code>git add APKBUILD lts.ARCH.config</code>.
And commit <code>git commit APKBUILD config-NAME.ARCH -m "Enabled these options ...."</code> for your customization the '''ARCH'''itecture of your system. You do this so that git can keep your code separate from Alpine's and so your changes float forward between kernel updates.

== Adding custom patches ==

Custom patches should be added to ''sources=''.

After you added the URL, you need to produce a checksum by doing <code>abuild checksum</code>.

The custom patches may not be autopatched, due to being distributed as an archive or different patch level, so you need to define what to do with it in the prepare().

== Configuring kernel ==

Attempt to create a config for your currently running system and modules first.

To create a kernel config based on your currently running PC, use:
<code>make localmodconfig</code>
This command reads your current kernel's configuration from /proc/config.gz (if available) or /boot/config-* and creates a .config file that includes only the modules currently loaded on your system. This results in a minimal configuration tailored to your hardware.
Alternatively, you can use:
<code>make localyesconfig</code>
This is similar to ''localmodconfig'', but instead of building features as modules (m), it builds them directly into the kernel (y), which can result in a larger kernel image but eliminates the need for separate module files.
Note: Before running either command, make sure you have all the hardware you want to support actively in use (USB devices plugged in, network cards active, etc.) so their modules are loaded and included in the configuration.

The alternative is to use the kernel configuration menu in the build-NAME folder, but before you do that you need to <code>sudo apk add {{pkg|ncurses-dev}}</code>

After you are done using the menu in the build-NAME folder by doing <code>make menuconfig</code>, you want to remove <code>ncurses-dev</code>. When you are done, it will be stored in ''.config'' which you need to again override the {{path|lts.ARCH.config}} file. When you are done updating the {{path|config-NAME.ARCH}}, you need to do <code>abuild checksum</code>.

The options in the kernel config are typically defaults. If your device is old, it may be set to n by default.

=== Vanilla targets and tuning ===

{|cellpadding="5" border="1" class="wikitable"
!ARCH
!Processor Type / CPU Selection / System Type
!Code Generation / Instruction Extensions
!Timer Frequency
!Preemption Model
!Bitness
|-
|s390x
|IBM zEnterprise 114 and 196
|IBM zBC12 and zEC12 (<code>-march=zEC12 -mtune=zEC12</code>)
|1000 Hz
|No Forced Preemption (Server)
|64
|-
|ppc64le
|Server processors
|POWER8 (<code>-mcpu=power8</code>), AltiVec (<code>-Wa,-maltivec</code> to assembler or <code>-maltivec -mabi=altivec</code>), VSX
|1000 HZ
|No Forced Preemption (Server)
|64
|-
|ppc
|
512x/52xx/6xx/7xx/74xx/82xx/83xx/86xx
* Apple PowerMac based machines
|AltiVec (<code>-Wa,-maltivec</code> to assembler or <code>-maltivec -mabi=altivec</code>) on >=74xx
|1000 HZ
|No Forced Preemption (Server)
|32
|-
|x86_64
|Generic-x86-64
|(-mtune=generic ; SIMD assembly modules enabled based on simple compile test and/or presence of CPU flag)
|1000 HZ
|Voluntary Kernel Preemption (Desktop)
|64
|-
|x86
|586/K5/5x86/6x86/6x86MX
|(-mtune=generic ; SIMD assembly modules enabled based on simple compile test and/or presence of CPU flag)
|1000 HZ
|Voluntary Kernel Preemption (Desktop)
|32
|-
|armv7
|
* ARMv7 based platforms (Cortex-A, PJ4, Scorpion, Krait)
* Freescale i.MX family -- Cortex A (i.MX51, i.MX53, i.MX6 Quad/DualLite, i.MX6 SoloLite, i.MX6 SoloX, i.MX6 UltraLite, i.MX7 Dual)
* Qualcomm -- (MSM8X60, MSM8960, MSM8974)
* Allwinner SoCs -- (A10 (sun4i), A10s / A13 (sun5i), A31 (sun6i), A20 (sun7i), sun8i Family, (sun9i))
* ARM Ldt Versatile Express family --
|Either <code>-march=armv7-a</code> or <code>-march=armv5t -Wa,-march=armv7-a</code> based on a compile test. <code>-mfpu=vfp</code>
|1000 Hz
|Voluntary Kernel Preemption (Desktop)
|32
|-
|aarch64
|
* Allwinner sunxi 64-bit SoC Family
* Broadcom BCM2835 family
* Marvell Berlin SoC Family
* ARMv8 based Samsung Exynos SoC family
* ARMv8 based Freescale Layerscape SoC family
* Hisilicon SoC Family
* Mediatek MT65xx & MT81xx ARMv8 SoC
* Marvell EBU SoC Family
* Qualcomm Platforms
* Rockchip Platforms
* AMD Seattle SoC Family
* Altera's Stratix 10 SoCFPGA Family
* NVIDIA Tegra SoC Family
* Spreadtrum SoC platform
* Cavium Inc. Thunder SoC Family
* ARMv8 software model (Versatile Express)
* AppliedMicro X-Gene SOC Family
* Xilinx ZynqMP Family
|
|1000 HZ
|Voluntary Kernel Preemption (Desktop)
|64
|-
|}
If you do desktop multitasking, you may want to switch to Voluntary Kernel Preemption (Desktop) or Preemptible Kernel (Low-Latency Desktop) and up the Timer Frequency. If you run a dedicated render farm node or a dedicated bitcoin miner use No Forced Preemption (Server) and decrease the Timer Frequency.

Optimized modules (most are already compiled as modules):
* raid6 -- altivec, avx512, ssse3, avx2, mmx, sse, sse2, neon
* some operations of raid5 -- mmx (32 bit), sse (64 bit), avx
For Kernel API:
* 32-bit memcpy -- 3dnow
* 32-bit memory page clearing and copying -- sse (Athlon/K7 only), mmx
From x86/crypto, arm/crypto, powerpc/crypto:
* CAMELLIA -- avx2, avx, aes-ni
* CHACHA20 -- avx2, neon
* CAST5 -- avx
* CAST6 -- avx
* TWOFISH -- avx
* SERPENT -- avx2, avx, sse2
* SHA1 -- avx2, ssse3, neon, spe
* SHA2 -- avx2
* SHA256 -- ssse3, neon, spe
* SHA512 -- avx2, ssse3, neon
* POLY1305 -- avx2
* GHASH -- pclmulqdq (part of aes-ni), vmx (power8)
* AES -- aes-ni, neon, vmx (power8), spe
* CRC32 -- pclmulqdq, sse, neon, vmx (power8)
* CRCT10DIF -- pclmulqdq, sse, neon, vmx (power8)

=== Fast reboots with kexec ===
{{main|kexec}}

If you want to reboot the kernel fast avoiding the POST test, you need {{ic|doas apk add {{pkg|kexec-tools}}}} and enable kexec in the kernel:

Processor type and features
[*] kexec system call

=== Hibernation to prevent data loss ===

Power management and ACPI options
[*] Hibernation (aka 'suspend to disk')

Hibernation should be used if you have a laptop. You don't want the laptop to suddenly shut off resulting in data loss, you want it to save your work based on a percentage of battery life (this requires special script). When hibernation resumes, should lock and ask for credentials. Depending on your needs, the hibernated image can be encrypted/decrypted which again requires additional customization to scripts.

Hibernation with an unsanitized swap file is generally insecure because data and unlocked memory pages are swapped out in plaintext. To increase the security either disable swap or use an encrypted swap. The swap file/partition is typically used as the hibernation resume image.

== Building ==

Before building, you may want to remove as many modules as possible. This will reduce the time to compile greatly. Also, you may want to use [https://github.com/ccache/ccache/ ccache] for faster recompiles especially if you are searching for the minimal set of options or modules to use or include.

You should then do an <code>abuild -r</code> to attempt to build it.

== Installing ==

To install it you do a {{ic|doas apk add linux-NAME}} where NAME is your custom kernel name.

== Testing ==

Before you test, you should install the lts kernel too, using <code>apk add {{pkg|linux-lts}}</code>. You may be missing a module and can't boot, so you use the other kernel as the fallback boot kernel.

Normally during the installation using with ''apk'' there are tools that will update initramfs and a boot loader automatically for you. For easier debugging you may want to change boot loader config and remove <code>quiet</code> from linux command line in <code>/etc/default/grub</code> or <code>/etc/update-extlinux.conf</code>.
Or perhaps you want to change other kernel options in <code>/etc/mkinitfs/mkinitfs.conf</code> - please remember to generate initramfs and update your bootloader manually, eg:
<code>
# mkinitfs
# grub-mkconfig -o /boot/grub/grub.cfg
</code>

To test, first you should make a bootable Alpine USB image. Then, when you have your rescue USB done, you <code>reboot</code> the computer.

To test it, you basically do trial and error. Sometimes your config is missing something if you want to have a bare minimum setting.

If you are curious about correctness testing, some kernel modules or components do preform self tests at the beginning of the boot process. The tools may have test suites that you run with the make command.

== See Also ==
* [https://wiki.archlinux.org/title/Kernel Archwiki Kernels]
* [https://wiki.gentoo.org/wiki/Kernel Gentoo Wiki Kernel]
* [https://wiki.gentoo.org/wiki/Kernel/Configuration Gentoo Wiki Kernel Configuration]
* [[How to build the Alpine Linux kernel]]

[[Category:Kernel]]

Custom Kernel

2025-11-02T19:14:49Z

Pawciobiel: update to 3.22 and rephrase

{{Draft}}

This process of building a '''custom configured kernel''' assumes you are running on Alpine Linux utilizing abuild & aports.

== But why? ==

You want to build a custom kernel to enable experimental hardware or features or outdated hardware, to reduce bloat further, to tune the kernel to the hardware.

The lts kernel for most Alpine ARCHs uses defaults to balance throughput at the expense of some responsiveness, and support for many devices. You can tweak the kernel for desktop use and low latency and responsiveness.

You should disable modules to increase security. By default, Alpine will install modules but not disable most of them. Disabling modules will reduce an DMA attack but not eliminate it completely. If you have a newer processor with VT-d, you can mitigate as long as you:

Leave <code>CONFIG_INTEL_IOMMU_DEFAULT_ON=y</code> or pass <code>intel_iommu=on</code> as a kernel parameter and disable kernel logging so the attacker doesn't gain DMAR address information through dmesg.[https://blog.frizk.net/2016/11/disable-virtualization-based-security.html] Also remove references to the kernel version to calculate the IOMMU addresses.[https://link.springer.com/content/pdf/10.1186/s13173-017-0066-7.pdf]

You may also want to harden your kernel by adding at least some of the config changes recommended by <code>kernel-hardening-checker</code> [https://github.com/a13xp0p0v/kernel-hardening-checker/]

To increase the security of the boot process, if you have a TPM, you could set <code>CONFIG_INTEL_TXT=y</code> (Enable Intel(R) Trusted Execution Technology (Intel(R) TXT)) (which is not enabled in the hardened kernel by default), then you would need the SINIT module (provided only by Intel)[https://software.intel.com/en-us/articles/intel-trusted-execution-technology], a possibly compiled TrustedGrub2[https://github.com/Rohde-Schwarz-Cybersecurity/TrustedGRUB2], trousers[https://sourceforge.net/projects/trousers/?source=navbar], tboot[https://sourceforge.net/projects/tboot/]. These packages are not in aports and it is unknown if these tools work on musl. It's not recommended for Edge. Also, there would be trigger packages to generate hashes for the kernel and the mkinitfs updates.

== Setting up the Alpine Build System ==

First, you need to follow the steps in [[Creating_an_Alpine_package#Setup_your_system_and_account|Setup your system and account for building packages]]. You also need to configure your {{path|/etc/apk/repositories}} so that they search locally for your apks. See [[Creating_an_Alpine_package#Testing_the_package_locally|Testing the package locally]] for details.

After setting up accounts and repos, change your shell's current working directory to '''aports''' that you just cloned.

{{cmd|$ cd aports}}

== Working with aports ==

We will try using an existing lts kernel just tweaking the {{path|lts.ARCH.config}} file.

=== Switching to the proper release version ===

You need to switch to the proper branch that matches the release so that the kernel compiles against the dependencies properly.

{| cellpadding="5" border="1" class="wikitable"
|-
! Alpine version
! Remote branch
|-
| Edge
| master
|-
| 3.17.0
| 3.17-stable
|-
|}

The following is required to get access to the {{path|APKBUILD}} released for that version of Alpine and which you will create a commit for.

If you are on 3.17 do:

{{cmd|$ git checkout -b 3.17-stable origin/3.17-stable}}

If you are on Edge do:

{{cmd|$ git checkout master}}

=== Creating your config ===

You can use {{pkg|linux-lts}} but what you should do is create a local branch by doing:

For Alpine 3.22 (linux-lts - 6.12):

{{cmd|$ git checkout -b my-custom-kernel origin/3.22-stable}}

For Alpine Edge:

{{cmd|$ git checkout -b my-custom-kernel}}

Doing it this way, you do less work in maintaining. All you need to do is keep ''master'' or ''3.22-stable'' in sync[https://help.github.com/articles/syncing-a-fork/][https://help.github.com/articles/configuring-a-remote-for-a-fork/] and merge any conflicts.

First switch to the branch by doing
<code>git checkout my-custom-kernel</code>.
Then, you need to navigate to the {{path|main/linux-lts}} folder where you should see a APKBUILD and some config- files.

You may want to change APKBUILD to change the name of your kernel and package (custom flavor or revision) and comment out or remove lines with config files that are not for your cpu architectures. This will avoid overriding your default ''linux-lts'' kernel modules and speed up the process of applying kernel patches applying it for your arch only. (Obviously ARCH in the following example is whatever architecture (x86, x86_64, ...) you use.)

When you are done with your edits to the APKBUILD file copy it {{path|lts.ARCH.config}} to {{path|.config}}. You can then move the {{path|.config}} back overriding the {{path|lts.ARCH.config}} generated by <code>make localmodconfig</code> or <code>make menuconfig</code> (discussed below in the ''Configuring kernel'' section). After generating your config, you need to run <code>abuild checksum</code>.
Then add your changes, eg <code>git add APKBUILD lts.ARCH.config</code>.
And commit <code>git commit APKBUILD config-NAME.ARCH -m "Enabled these options ...."</code> for your customization the '''ARCH'''itecture of your system. You do this so that git can keep your code separate from Alpine's and so your changes float forward between kernel updates.

== Adding custom patches ==

Custom patches should be added to ''sources=''.

After you added the URL, you need to produce a checksum by doing <code>abuild checksum</code>.

The custom patches may not be autopatched, due to being distributed as an archive or different patch level, so you need to define what to do with it in the prepare().

== Configuring kernel ==

Attempt to build the kernel first. To do that, you do <code>abuild -rK</code> to install most of the dependencies. If it complains about a dependency like {{pkg|elfutils-dev}} use <code>-rKd</code>. Then, when it prompts for values for new found config options just hold enter till it starts compiling the kernel. There should be two sets one for -lts and the other for the -virt. Just {{Key|Ctrl}}+{{Key|C}} out of the compilation process after the second set so you can further customize the config. Then you go into the {{path|src/linux-VER}} and edit the config file. Copy the {{path|.config}} file overriding the {{path|lts.ARCH.config}} in the srcdir.

The alternative is to use the kernel configuration menu in the build-NAME folder, but before you do that you need to <code>sudo apk add {{pkg|ncurses-dev}}</code>

After you are done using the menu in the build-NAME folder by doing <code>make menuconfig</code>, you want to remove <code>ncurses-dev</code>. When you are done, it will be stored in ''.config'' which you need to again override the {{path|lts.ARCH.config}} file. When you are done updating the {{path|config-NAME.ARCH}}, you need to do <code>abuild checksum</code>.

The options in the kernel config are typically defaults. If your device is old, it may be set to n by default.

=== Vanilla targets and tuning ===

{|cellpadding="5" border="1" class="wikitable"
!ARCH
!Processor Type / CPU Selection / System Type
!Code Generation / Instruction Extensions
!Timer Frequency
!Preemption Model
!Bitness
|-
|s390x
|IBM zEnterprise 114 and 196
|IBM zBC12 and zEC12 (<code>-march=zEC12 -mtune=zEC12</code>)
|1000 Hz
|No Forced Preemption (Server)
|64
|-
|ppc64le
|Server processors
|POWER8 (<code>-mcpu=power8</code>), AltiVec (<code>-Wa,-maltivec</code> to assembler or <code>-maltivec -mabi=altivec</code>), VSX
|1000 HZ
|No Forced Preemption (Server)
|64
|-
|ppc
|
512x/52xx/6xx/7xx/74xx/82xx/83xx/86xx
* Apple PowerMac based machines
|AltiVec (<code>-Wa,-maltivec</code> to assembler or <code>-maltivec -mabi=altivec</code>) on >=74xx
|1000 HZ
|No Forced Preemption (Server)
|32
|-
|x86_64
|Generic-x86-64
|(-mtune=generic ; SIMD assembly modules enabled based on simple compile test and/or presence of CPU flag)
|1000 HZ
|Voluntary Kernel Preemption (Desktop)
|64
|-
|x86
|586/K5/5x86/6x86/6x86MX
|(-mtune=generic ; SIMD assembly modules enabled based on simple compile test and/or presence of CPU flag)
|1000 HZ
|Voluntary Kernel Preemption (Desktop)
|32
|-
|armv7
|
* ARMv7 based platforms (Cortex-A, PJ4, Scorpion, Krait)
* Freescale i.MX family -- Cortex A (i.MX51, i.MX53, i.MX6 Quad/DualLite, i.MX6 SoloLite, i.MX6 SoloX, i.MX6 UltraLite, i.MX7 Dual)
* Qualcomm -- (MSM8X60, MSM8960, MSM8974)
* Allwinner SoCs -- (A10 (sun4i), A10s / A13 (sun5i), A31 (sun6i), A20 (sun7i), sun8i Family, (sun9i))
* ARM Ldt Versatile Express family --
|Either <code>-march=armv7-a</code> or <code>-march=armv5t -Wa,-march=armv7-a</code> based on a compile test. <code>-mfpu=vfp</code>
|1000 Hz
|Voluntary Kernel Preemption (Desktop)
|32
|-
|aarch64
|
* Allwinner sunxi 64-bit SoC Family
* Broadcom BCM2835 family
* Marvell Berlin SoC Family
* ARMv8 based Samsung Exynos SoC family
* ARMv8 based Freescale Layerscape SoC family
* Hisilicon SoC Family
* Mediatek MT65xx & MT81xx ARMv8 SoC
* Marvell EBU SoC Family
* Qualcomm Platforms
* Rockchip Platforms
* AMD Seattle SoC Family
* Altera's Stratix 10 SoCFPGA Family
* NVIDIA Tegra SoC Family
* Spreadtrum SoC platform
* Cavium Inc. Thunder SoC Family
* ARMv8 software model (Versatile Express)
* AppliedMicro X-Gene SOC Family
* Xilinx ZynqMP Family
|
|1000 HZ
|Voluntary Kernel Preemption (Desktop)
|64
|-
|}
If you do desktop multitasking, you may want to switch to Voluntary Kernel Preemption (Desktop) or Preemptible Kernel (Low-Latency Desktop) and up the Timer Frequency. If you run a dedicated render farm node or a dedicated bitcoin miner use No Forced Preemption (Server) and decrease the Timer Frequency.

Optimized modules (most are already compiled as modules):
* raid6 -- altivec, avx512, ssse3, avx2, mmx, sse, sse2, neon
* some operations of raid5 -- mmx (32 bit), sse (64 bit), avx
For Kernel API:
* 32-bit memcpy -- 3dnow
* 32-bit memory page clearing and copying -- sse (Athlon/K7 only), mmx
From x86/crypto, arm/crypto, powerpc/crypto:
* CAMELLIA -- avx2, avx, aes-ni
* CHACHA20 -- avx2, neon
* CAST5 -- avx
* CAST6 -- avx
* TWOFISH -- avx
* SERPENT -- avx2, avx, sse2
* SHA1 -- avx2, ssse3, neon, spe
* SHA2 -- avx2
* SHA256 -- ssse3, neon, spe
* SHA512 -- avx2, ssse3, neon
* POLY1305 -- avx2
* GHASH -- pclmulqdq (part of aes-ni), vmx (power8)
* AES -- aes-ni, neon, vmx (power8), spe
* CRC32 -- pclmulqdq, sse, neon, vmx (power8)
* CRCT10DIF -- pclmulqdq, sse, neon, vmx (power8)

=== Fast reboots with kexec ===
{{main|kexec}}

If you want to reboot the kernel fast avoiding the POST test, you need {{ic|doas apk add {{pkg|kexec-tools}}}} and enable kexec in the kernel:

Processor type and features
[*] kexec system call

=== Hibernation to prevent data loss ===

Power management and ACPI options
[*] Hibernation (aka 'suspend to disk')

Hibernation should be used if you have a laptop. You don't want the laptop to suddenly shut off resulting in data loss, you want it to save your work based on a percentage of battery life (this requires special script). When hibernation resumes, should lock and ask for credentials. Depending on your needs, the hibernated image can be encrypted/decrypted which again requires additional customization to scripts.

Hibernation with an unsanitized swap file is generally insecure because data and unlocked memory pages are swapped out in plaintext. To increase the security either disable swap or use an encrypted swap. The swap file/partition is typically used as the hibernation resume image.

== Building ==

Before building, you may want to remove as many modules as possible. This will reduce the time to compile greatly. Also, you may want to use [https://github.com/ccache/ccache/ ccache] for faster recompiles especially if you are searching for the minimal set of options or modules to use or include.

You should then do an <code>abuild -r</code> to attempt to build it.

== Installing ==

To install it you do a {{ic|doas apk add linux-NAME}} where NAME is your custom kernel name.

== Testing ==

Before you test, you should install the lts kernel too, using <code>apk add {{pkg|linux-lts}}</code>. You may be missing a module and can't boot, so you use the other kernel as the fallback boot kernel.

Normally during the installation using with ''apk'' there are tools that will update initramfs and a boot loader automatically for you. For easier debugging you may want to change boot loader config and remove <code>quiet</code> from linux command line in <code>/etc/default/grub</code> or <code>/etc/update-extlinux.conf</code>.
Or perhaps you want to change other kernel options in <code>/etc/mkinitfs/mkinitfs.conf</code> - please remember to generate initramfs and update your bootloader manually, eg:
<code>
# mkinitfs
# grub-mkconfig -o /boot/grub/grub.cfg
</code>

To test, first you should make a bootable Alpine USB image. Then, when you have your rescue USB done, you <code>reboot</code> the computer.

To test it, you basically do trial and error. Sometimes your config is missing something if you want to have a bare minimum setting.

If you are curious about correctness testing, some kernel modules or components do preform self tests at the beginning of the boot process. The tools may have test suites that you run with the make command.

== See Also ==
* [https://wiki.archlinux.org/title/Kernel Archwiki Kernels]
* [https://wiki.gentoo.org/wiki/Kernel Gentoo Wiki Kernel]
* [https://wiki.gentoo.org/wiki/Kernel/Configuration Gentoo Wiki Kernel Configuration]
* [[How to build the Alpine Linux kernel]]

[[Category:Kernel]]

Custom Kernel

2025-11-02T18:43:11Z

Pawciobiel: typo yo -> you

{{Draft}}

This process of building a '''custom configured kernel''' assumes you are running on Alpine Linux utilizing abuild & aports.

== But why? ==

You want to build a custom kernel to enable experimental hardware or features or outdated hardware, to reduce bloat further, to tune the kernel to the hardware.

The lts kernel for most Alpine ARCHs uses defaults to balance throughput at the expense of some responsiveness, and support for many devices. You can tweak the kernel for desktop use and low latency and responsiveness.

You should disable modules to increase security. By default, Alpine will install modules but not disable most of them. Disabling modules will reduce an DMA attack but not eliminate it completely. If you have a newer processor with VT-d, you can mitigate as long as you:

Leave <code>CONFIG_INTEL_IOMMU_DEFAULT_ON=y</code> or pass <code>intel_iommu=on</code> as a kernel parameter and disable kernel logging so the attacker doesn't gain DMAR address information through dmesg.[https://blog.frizk.net/2016/11/disable-virtualization-based-security.html] Also remove references to the kernel version to calculate the IOMMU addresses.[https://link.springer.com/content/pdf/10.1186/s13173-017-0066-7.pdf]

You may also want to harden your kernel by adding at least some of the config changes recommended by <code>kernel-hardening-checker</code> [https://github.com/a13xp0p0v/kernel-hardening-checker/]

To increase the security of the boot process, if you have a TPM, you could set <code>CONFIG_INTEL_TXT=y</code> (Enable Intel(R) Trusted Execution Technology (Intel(R) TXT)) (which is not enabled in the hardened kernel by default), then you would need the SINIT module (provided only by Intel)[https://software.intel.com/en-us/articles/intel-trusted-execution-technology], a possibly compiled TrustedGrub2[https://github.com/Rohde-Schwarz-Cybersecurity/TrustedGRUB2], trousers[https://sourceforge.net/projects/trousers/?source=navbar], tboot[https://sourceforge.net/projects/tboot/]. These packages are not in aports and it is unknown if these tools work on musl. It's not recommended for Edge. Also, there would be trigger packages to generate hashes for the kernel and the mkinitfs updates.

== Setting up the Alpine Build System ==

First, you need to follow the steps in [[Creating_an_Alpine_package#Setup_your_system_and_account|Setup your system and account for building packages]]. You also need to configure your {{path|/etc/apk/repositories}} so that they search locally for your apks. See [[Creating_an_Alpine_package#Testing_the_package_locally|Testing the package locally]] for details.

After setting up accounts and repos, change your shell's current working directory to '''aports''' that you just cloned.

{{cmd|$ cd aports}}

== Working with aports ==

We will try using an existing lts kernel just tweaking the {{path|lts.ARCH.config}} file.

=== Switching to the proper release version ===

You need to switch to the proper branch that matches the release so that the kernel compiles against the dependencies properly.

{| cellpadding="5" border="1" class="wikitable"
|-
! Alpine version
! Remote branch
|-
| Edge
| master
|-
| 3.17.0
| 3.17-stable
|-
|}

The following is required to get access to the {{path|APKBUILD}} released for that version of Alpine and which you will create a commit for.

If you are on 3.17 do:

{{cmd|$ git checkout -b 3.17-stable origin/3.17-stable}}

If you are on Edge do:

{{cmd|$ git checkout master}}

=== Creating your config ===

You can use {{pkg|linux-lts}} but what you should do is create a local branch by doing:

For Alpine Edge:

{{cmd|$ git checkout -b my-custom-kernel}}

For Alpine 3.17:

{{cmd|$ git checkout -b my-custom-kernel origin/3.17-stable}}

Doing it this way, you do less work in maintaining. All you need to do is keep ''master'' or ''3.17-stable'' in sync[https://help.github.com/articles/syncing-a-fork/][https://help.github.com/articles/configuring-a-remote-for-a-fork/] and merge any conflicts.

First switch to the branch by doing <code>git checkout my-custom-kernel</code>. Then, you need to navigate to the {{path|main/linux-lts}} folder where you should see a APKBUILD and some config- files. When you are done with your edits either by editing directly the APKBUILD and copying the {{path|lts.ARCH.config}} as {{path|.config}} in the {{path|linux-lts}} folder. You will then move the {{path|.config}} back overriding the {{path|lts.ARCH.config}} generated by <code>make menuconfig</code> (discussed below in the ''Configuring kernel'' section). After generating your config, you need to <code>abuild checksum</code>. Then, do <code>git add APKBUILD lts.ARCH.config</code> where ARCH is whatever architecture (x86, x86_64, ...) you use. Then, you need to do <code>git commit APKBUILD config-NAME.ARCH -m "Enabled these options ...."</code> for your customization the ARCHitecture of your system. You do this so that git can keep your code separate from Alpine's and so your changes float forward between kernel updates.

== Adding custom patches ==

Custom patches should be added to ''sources=''.

After you added the URL, you need to produce a checksum by doing <code>abuild checksum</code>.

The custom patches may not be autopatched, due to being distributed as an archive or different patch level, so you need to define what to do with it in the prepare().

== Configuring kernel ==

Attempt to build the kernel first. To do that, you do <code>abuild -rK</code> to install most of the dependencies. If it complains about a dependency like {{pkg|elfutils-dev}} use <code>-rKd</code>. Then, when it prompts for values for new found config options just hold enter till it starts compiling the kernel. There should be two sets one for -lts and the other for the -virt. Just {{Key|Ctrl}}+{{Key|C}} out of the compilation process after the second set so you can further customize the config. Then you go into the {{path|src/linux-VER}} and edit the config file. Copy the {{path|.config}} file overriding the {{path|lts.ARCH.config}} in the srcdir.

The alternative is to use the kernel configuration menu in the build-NAME folder, but before you do that you need to <code>sudo apk add {{pkg|ncurses-dev}}</code>

After you are done using the menu in the build-NAME folder by doing <code>make menuconfig</code>, you want to remove <code>ncurses-dev</code>. When you are done, it will be stored in ''.config'' which you need to again override the {{path|lts.ARCH.config}} file. When you are done updating the {{path|config-NAME.ARCH}}, you need to do <code>abuild checksum</code>.

The options in the kernel config are typically defaults. If your device is old, it may be set to n by default.

=== Vanilla targets and tuning ===

{|cellpadding="5" border="1" class="wikitable"
!ARCH
!Processor Type / CPU Selection / System Type
!Code Generation / Instruction Extensions
!Timer Frequency
!Preemption Model
!Bitness
|-
|s390x
|IBM zEnterprise 114 and 196
|IBM zBC12 and zEC12 (<code>-march=zEC12 -mtune=zEC12</code>)
|1000 Hz
|No Forced Preemption (Server)
|64
|-
|ppc64le
|Server processors
|POWER8 (<code>-mcpu=power8</code>), AltiVec (<code>-Wa,-maltivec</code> to assembler or <code>-maltivec -mabi=altivec</code>), VSX
|1000 HZ
|No Forced Preemption (Server)
|64
|-
|ppc
|
512x/52xx/6xx/7xx/74xx/82xx/83xx/86xx
* Apple PowerMac based machines
|AltiVec (<code>-Wa,-maltivec</code> to assembler or <code>-maltivec -mabi=altivec</code>) on >=74xx
|1000 HZ
|No Forced Preemption (Server)
|32
|-
|x86_64
|Generic-x86-64
|(-mtune=generic ; SIMD assembly modules enabled based on simple compile test and/or presence of CPU flag)
|1000 HZ
|Voluntary Kernel Preemption (Desktop)
|64
|-
|x86
|586/K5/5x86/6x86/6x86MX
|(-mtune=generic ; SIMD assembly modules enabled based on simple compile test and/or presence of CPU flag)
|1000 HZ
|Voluntary Kernel Preemption (Desktop)
|32
|-
|armv7
|
* ARMv7 based platforms (Cortex-A, PJ4, Scorpion, Krait)
* Freescale i.MX family -- Cortex A (i.MX51, i.MX53, i.MX6 Quad/DualLite, i.MX6 SoloLite, i.MX6 SoloX, i.MX6 UltraLite, i.MX7 Dual)
* Qualcomm -- (MSM8X60, MSM8960, MSM8974)
* Allwinner SoCs -- (A10 (sun4i), A10s / A13 (sun5i), A31 (sun6i), A20 (sun7i), sun8i Family, (sun9i))
* ARM Ldt Versatile Express family --
|Either <code>-march=armv7-a</code> or <code>-march=armv5t -Wa,-march=armv7-a</code> based on a compile test. <code>-mfpu=vfp</code>
|1000 Hz
|Voluntary Kernel Preemption (Desktop)
|32
|-
|aarch64
|
* Allwinner sunxi 64-bit SoC Family
* Broadcom BCM2835 family
* Marvell Berlin SoC Family
* ARMv8 based Samsung Exynos SoC family
* ARMv8 based Freescale Layerscape SoC family
* Hisilicon SoC Family
* Mediatek MT65xx & MT81xx ARMv8 SoC
* Marvell EBU SoC Family
* Qualcomm Platforms
* Rockchip Platforms
* AMD Seattle SoC Family
* Altera's Stratix 10 SoCFPGA Family
* NVIDIA Tegra SoC Family
* Spreadtrum SoC platform
* Cavium Inc. Thunder SoC Family
* ARMv8 software model (Versatile Express)
* AppliedMicro X-Gene SOC Family
* Xilinx ZynqMP Family
|
|1000 HZ
|Voluntary Kernel Preemption (Desktop)
|64
|-
|}
If you do desktop multitasking, you may want to switch to Voluntary Kernel Preemption (Desktop) or Preemptible Kernel (Low-Latency Desktop) and up the Timer Frequency. If you run a dedicated render farm node or a dedicated bitcoin miner use No Forced Preemption (Server) and decrease the Timer Frequency.

Optimized modules (most are already compiled as modules):
* raid6 -- altivec, avx512, ssse3, avx2, mmx, sse, sse2, neon
* some operations of raid5 -- mmx (32 bit), sse (64 bit), avx
For Kernel API:
* 32-bit memcpy -- 3dnow
* 32-bit memory page clearing and copying -- sse (Athlon/K7 only), mmx
From x86/crypto, arm/crypto, powerpc/crypto:
* CAMELLIA -- avx2, avx, aes-ni
* CHACHA20 -- avx2, neon
* CAST5 -- avx
* CAST6 -- avx
* TWOFISH -- avx
* SERPENT -- avx2, avx, sse2
* SHA1 -- avx2, ssse3, neon, spe
* SHA2 -- avx2
* SHA256 -- ssse3, neon, spe
* SHA512 -- avx2, ssse3, neon
* POLY1305 -- avx2
* GHASH -- pclmulqdq (part of aes-ni), vmx (power8)
* AES -- aes-ni, neon, vmx (power8), spe
* CRC32 -- pclmulqdq, sse, neon, vmx (power8)
* CRCT10DIF -- pclmulqdq, sse, neon, vmx (power8)

=== Fast reboots with kexec ===
{{main|kexec}}

If you want to reboot the kernel fast avoiding the POST test, you need {{ic|doas apk add {{pkg|kexec-tools}}}} and enable kexec in the kernel:

Processor type and features
[*] kexec system call

=== Hibernation to prevent data loss ===

Power management and ACPI options
[*] Hibernation (aka 'suspend to disk')

Hibernation should be used if you have a laptop. You don't want the laptop to suddenly shut off resulting in data loss, you want it to save your work based on a percentage of battery life (this requires special script). When hibernation resumes, should lock and ask for credentials. Depending on your needs, the hibernated image can be encrypted/decrypted which again requires additional customization to scripts.

Hibernation with an unsanitized swap file is generally insecure because data and unlocked memory pages are swapped out in plaintext. To increase the security either disable swap or use an encrypted swap. The swap file/partition is typically used as the hibernation resume image.

== Building ==

Before building, you may want to remove as many modules as possible. This will reduce the time to compile greatly. Also, you may want to use [https://github.com/ccache/ccache/ ccache] for faster recompiles especially if you are searching for the minimal set of options or modules to use or include.

You should then do an <code>abuild -r</code> to attempt to build it.

== Installing ==

To install it you do a {{ic|doas apk add linux-NAME}} where NAME is your custom kernel name.

== Testing ==

Before you test, you should install the lts kernel too, using <code>apk add {{pkg|linux-lts}}</code>. You may be missing a module and can't boot, so you use the other kernel as the fallback boot kernel.

Normally during the installation using with ''apk'' there are tools that will update initramfs and a boot loader automatically for you. For easier debugging you may want to change boot loader config and remove <code>quiet</code> from linux command line in <code>/etc/default/grub</code> or <code>/etc/update-extlinux.conf</code>.
Or perhaps you want to change other kernel options in <code>/etc/mkinitfs/mkinitfs.conf</code> - please remember to generate initramfs and update your bootloader manually, eg:
<code>
# mkinitfs
# grub-mkconfig -o /boot/grub/grub.cfg
</code>

To test, first you should make a bootable Alpine USB image. Then, when you have your rescue USB done, you <code>reboot</code> the computer.

To test it, you basically do trial and error. Sometimes your config is missing something if you want to have a bare minimum setting.

If you are curious about correctness testing, some kernel modules or components do preform self tests at the beginning of the boot process. The tools may have test suites that you run with the make command.

== See Also ==
* [https://wiki.archlinux.org/title/Kernel Archwiki Kernels]
* [https://wiki.gentoo.org/wiki/Kernel Gentoo Wiki Kernel]
* [https://wiki.gentoo.org/wiki/Kernel/Configuration Gentoo Wiki Kernel Configuration]
* [[How to build the Alpine Linux kernel]]

[[Category:Kernel]]

Custom Kernel

2025-11-02T18:42:37Z

Pawciobiel: Add some example info about updating initramfs and bootloader

{{Draft}}

This process of building a '''custom configured kernel''' assumes you are running on Alpine Linux utilizing abuild & aports.

== But why? ==

You want to build a custom kernel to enable experimental hardware or features or outdated hardware, to reduce bloat further, to tune the kernel to the hardware.

The lts kernel for most Alpine ARCHs uses defaults to balance throughput at the expense of some responsiveness, and support for many devices. You can tweak the kernel for desktop use and low latency and responsiveness.

You should disable modules to increase security. By default, Alpine will install modules but not disable most of them. Disabling modules will reduce an DMA attack but not eliminate it completely. If you have a newer processor with VT-d, you can mitigate as long as you:

Leave <code>CONFIG_INTEL_IOMMU_DEFAULT_ON=y</code> or pass <code>intel_iommu=on</code> as a kernel parameter and disable kernel logging so the attacker doesn't gain DMAR address information through dmesg.[https://blog.frizk.net/2016/11/disable-virtualization-based-security.html] Also remove references to the kernel version to calculate the IOMMU addresses.[https://link.springer.com/content/pdf/10.1186/s13173-017-0066-7.pdf]

You may also want to harden your kernel by adding at least some of the config changes recommended by <code>kernel-hardening-checker</code> [https://github.com/a13xp0p0v/kernel-hardening-checker/]

To increase the security of the boot process, if you have a TPM, you could set <code>CONFIG_INTEL_TXT=y</code> (Enable Intel(R) Trusted Execution Technology (Intel(R) TXT)) (which is not enabled in the hardened kernel by default), then you would need the SINIT module (provided only by Intel)[https://software.intel.com/en-us/articles/intel-trusted-execution-technology], a possibly compiled TrustedGrub2[https://github.com/Rohde-Schwarz-Cybersecurity/TrustedGRUB2], trousers[https://sourceforge.net/projects/trousers/?source=navbar], tboot[https://sourceforge.net/projects/tboot/]. These packages are not in aports and it is unknown if these tools work on musl. It's not recommended for Edge. Also, there would be trigger packages to generate hashes for the kernel and the mkinitfs updates.

== Setting up the Alpine Build System ==

First, you need to follow the steps in [[Creating_an_Alpine_package#Setup_your_system_and_account|Setup your system and account for building packages]]. You also need to configure your {{path|/etc/apk/repositories}} so that they search locally for your apks. See [[Creating_an_Alpine_package#Testing_the_package_locally|Testing the package locally]] for details.

After setting up accounts and repos, change your shell's current working directory to '''aports''' that you just cloned.

{{cmd|$ cd aports}}

== Working with aports ==

We will try using an existing lts kernel just tweaking the {{path|lts.ARCH.config}} file.

=== Switching to the proper release version ===

You need to switch to the proper branch that matches the release so that the kernel compiles against the dependencies properly.

{| cellpadding="5" border="1" class="wikitable"
|-
! Alpine version
! Remote branch
|-
| Edge
| master
|-
| 3.17.0
| 3.17-stable
|-
|}

The following is required to get access to the {{path|APKBUILD}} released for that version of Alpine and which you will create a commit for.

If you are on 3.17 do:

{{cmd|$ git checkout -b 3.17-stable origin/3.17-stable}}

If you are on Edge do:

{{cmd|$ git checkout master}}

=== Creating your config ===

You can use {{pkg|linux-lts}} but what you should do is create a local branch by doing:

For Alpine Edge:

{{cmd|$ git checkout -b my-custom-kernel}}

For Alpine 3.17:

{{cmd|$ git checkout -b my-custom-kernel origin/3.17-stable}}

Doing it this way, you do less work in maintaining. All you need to do is keep ''master'' or ''3.17-stable'' in sync[https://help.github.com/articles/syncing-a-fork/][https://help.github.com/articles/configuring-a-remote-for-a-fork/] and merge any conflicts.

First switch to the branch by doing <code>git checkout my-custom-kernel</code>. Then, you need to navigate to the {{path|main/linux-lts}} folder where you should see a APKBUILD and some config- files. When you are done with your edits either by editing directly the APKBUILD and copying the {{path|lts.ARCH.config}} as {{path|.config}} in the {{path|linux-lts}} folder. You will then move the {{path|.config}} back overriding the {{path|lts.ARCH.config}} generated by <code>make menuconfig</code> (discussed below in the ''Configuring kernel'' section). After generating your config, you need to <code>abuild checksum</code>. Then, do <code>git add APKBUILD lts.ARCH.config</code> where ARCH is whatever architecture (x86, x86_64, ...) you use. Then, you need to do <code>git commit APKBUILD config-NAME.ARCH -m "Enabled these options ...."</code> for your customization the ARCHitecture of your system. You do this so that git can keep your code separate from Alpine's and so your changes float forward between kernel updates.

== Adding custom patches ==

Custom patches should be added to ''sources=''.

After you added the URL, you need to produce a checksum by doing <code>abuild checksum</code>.

The custom patches may not be autopatched, due to being distributed as an archive or different patch level, so you need to define what to do with it in the prepare().

== Configuring kernel ==

Attempt to build the kernel first. To do that, you do <code>abuild -rK</code> to install most of the dependencies. If it complains about a dependency like {{pkg|elfutils-dev}} use <code>-rKd</code>. Then, when it prompts for values for new found config options just hold enter till it starts compiling the kernel. There should be two sets one for -lts and the other for the -virt. Just {{Key|Ctrl}}+{{Key|C}} out of the compilation process after the second set so you can further customize the config. Then you go into the {{path|src/linux-VER}} and edit the config file. Copy the {{path|.config}} file overriding the {{path|lts.ARCH.config}} in the srcdir.

The alternative is to use the kernel configuration menu in the build-NAME folder, but before yo do that you need to <code>sudo apk add {{pkg|ncurses-dev}}</code>

After you are done using the menu in the build-NAME folder by doing <code>make menuconfig</code>, you want to remove <code>ncurses-dev</code>. When you are done, it will be stored in ''.config'' which you need to again override the {{path|lts.ARCH.config}} file. When you are done updating the {{path|config-NAME.ARCH}}, you need to do <code>abuild checksum</code>.

The options in the kernel config are typically defaults. If your device is old, it may be set to n by default.

=== Vanilla targets and tuning ===

{|cellpadding="5" border="1" class="wikitable"
!ARCH
!Processor Type / CPU Selection / System Type
!Code Generation / Instruction Extensions
!Timer Frequency
!Preemption Model
!Bitness
|-
|s390x
|IBM zEnterprise 114 and 196
|IBM zBC12 and zEC12 (<code>-march=zEC12 -mtune=zEC12</code>)
|1000 Hz
|No Forced Preemption (Server)
|64
|-
|ppc64le
|Server processors
|POWER8 (<code>-mcpu=power8</code>), AltiVec (<code>-Wa,-maltivec</code> to assembler or <code>-maltivec -mabi=altivec</code>), VSX
|1000 HZ
|No Forced Preemption (Server)
|64
|-
|ppc
|
512x/52xx/6xx/7xx/74xx/82xx/83xx/86xx
* Apple PowerMac based machines
|AltiVec (<code>-Wa,-maltivec</code> to assembler or <code>-maltivec -mabi=altivec</code>) on >=74xx
|1000 HZ
|No Forced Preemption (Server)
|32
|-
|x86_64
|Generic-x86-64
|(-mtune=generic ; SIMD assembly modules enabled based on simple compile test and/or presence of CPU flag)
|1000 HZ
|Voluntary Kernel Preemption (Desktop)
|64
|-
|x86
|586/K5/5x86/6x86/6x86MX
|(-mtune=generic ; SIMD assembly modules enabled based on simple compile test and/or presence of CPU flag)
|1000 HZ
|Voluntary Kernel Preemption (Desktop)
|32
|-
|armv7
|
* ARMv7 based platforms (Cortex-A, PJ4, Scorpion, Krait)
* Freescale i.MX family -- Cortex A (i.MX51, i.MX53, i.MX6 Quad/DualLite, i.MX6 SoloLite, i.MX6 SoloX, i.MX6 UltraLite, i.MX7 Dual)
* Qualcomm -- (MSM8X60, MSM8960, MSM8974)
* Allwinner SoCs -- (A10 (sun4i), A10s / A13 (sun5i), A31 (sun6i), A20 (sun7i), sun8i Family, (sun9i))
* ARM Ldt Versatile Express family --
|Either <code>-march=armv7-a</code> or <code>-march=armv5t -Wa,-march=armv7-a</code> based on a compile test. <code>-mfpu=vfp</code>
|1000 Hz
|Voluntary Kernel Preemption (Desktop)
|32
|-
|aarch64
|
* Allwinner sunxi 64-bit SoC Family
* Broadcom BCM2835 family
* Marvell Berlin SoC Family
* ARMv8 based Samsung Exynos SoC family
* ARMv8 based Freescale Layerscape SoC family
* Hisilicon SoC Family
* Mediatek MT65xx & MT81xx ARMv8 SoC
* Marvell EBU SoC Family
* Qualcomm Platforms
* Rockchip Platforms
* AMD Seattle SoC Family
* Altera's Stratix 10 SoCFPGA Family
* NVIDIA Tegra SoC Family
* Spreadtrum SoC platform
* Cavium Inc. Thunder SoC Family
* ARMv8 software model (Versatile Express)
* AppliedMicro X-Gene SOC Family
* Xilinx ZynqMP Family
|
|1000 HZ
|Voluntary Kernel Preemption (Desktop)
|64
|-
|}
If you do desktop multitasking, you may want to switch to Voluntary Kernel Preemption (Desktop) or Preemptible Kernel (Low-Latency Desktop) and up the Timer Frequency. If you run a dedicated render farm node or a dedicated bitcoin miner use No Forced Preemption (Server) and decrease the Timer Frequency.

Optimized modules (most are already compiled as modules):
* raid6 -- altivec, avx512, ssse3, avx2, mmx, sse, sse2, neon
* some operations of raid5 -- mmx (32 bit), sse (64 bit), avx
For Kernel API:
* 32-bit memcpy -- 3dnow
* 32-bit memory page clearing and copying -- sse (Athlon/K7 only), mmx
From x86/crypto, arm/crypto, powerpc/crypto:
* CAMELLIA -- avx2, avx, aes-ni
* CHACHA20 -- avx2, neon
* CAST5 -- avx
* CAST6 -- avx
* TWOFISH -- avx
* SERPENT -- avx2, avx, sse2
* SHA1 -- avx2, ssse3, neon, spe
* SHA2 -- avx2
* SHA256 -- ssse3, neon, spe
* SHA512 -- avx2, ssse3, neon
* POLY1305 -- avx2
* GHASH -- pclmulqdq (part of aes-ni), vmx (power8)
* AES -- aes-ni, neon, vmx (power8), spe
* CRC32 -- pclmulqdq, sse, neon, vmx (power8)
* CRCT10DIF -- pclmulqdq, sse, neon, vmx (power8)

=== Fast reboots with kexec ===
{{main|kexec}}

If you want to reboot the kernel fast avoiding the POST test, you need {{ic|doas apk add {{pkg|kexec-tools}}}} and enable kexec in the kernel:

Processor type and features
[*] kexec system call

=== Hibernation to prevent data loss ===

Power management and ACPI options
[*] Hibernation (aka 'suspend to disk')

Hibernation should be used if you have a laptop. You don't want the laptop to suddenly shut off resulting in data loss, you want it to save your work based on a percentage of battery life (this requires special script). When hibernation resumes, should lock and ask for credentials. Depending on your needs, the hibernated image can be encrypted/decrypted which again requires additional customization to scripts.

Hibernation with an unsanitized swap file is generally insecure because data and unlocked memory pages are swapped out in plaintext. To increase the security either disable swap or use an encrypted swap. The swap file/partition is typically used as the hibernation resume image.

== Building ==

Before building, you may want to remove as many modules as possible. This will reduce the time to compile greatly. Also, you may want to use [https://github.com/ccache/ccache/ ccache] for faster recompiles especially if you are searching for the minimal set of options or modules to use or include.

You should then do an <code>abuild -r</code> to attempt to build it.

== Installing ==

To install it you do a {{ic|doas apk add linux-NAME}} where NAME is your custom kernel name.

== Testing ==

Before you test, you should install the lts kernel too, using <code>apk add {{pkg|linux-lts}}</code>. You may be missing a module and can't boot, so you use the other kernel as the fallback boot kernel.

Normally during the installation using with ''apk'' there are tools that will update initramfs and a boot loader automatically for you. For easier debugging you may want to change boot loader config and remove <code>quiet</code> from linux command line in <code>/etc/default/grub</code> or <code>/etc/update-extlinux.conf</code>.
Or perhaps you want to change other kernel options in <code>/etc/mkinitfs/mkinitfs.conf</code> - please remember to generate initramfs and update your bootloader manually, eg:
<code>
# mkinitfs
# grub-mkconfig -o /boot/grub/grub.cfg
</code>

To test, first you should make a bootable Alpine USB image. Then, when you have your rescue USB done, you <code>reboot</code> the computer.

To test it, you basically do trial and error. Sometimes your config is missing something if you want to have a bare minimum setting.

If you are curious about correctness testing, some kernel modules or components do preform self tests at the beginning of the boot process. The tools may have test suites that you run with the make command.

== See Also ==
* [https://wiki.archlinux.org/title/Kernel Archwiki Kernels]
* [https://wiki.gentoo.org/wiki/Kernel Gentoo Wiki Kernel]
* [https://wiki.gentoo.org/wiki/Kernel/Configuration Gentoo Wiki Kernel Configuration]
* [[How to build the Alpine Linux kernel]]

[[Category:Kernel]]

Custom Kernel

2025-11-02T18:11:03Z

Pawciobiel: add info about kernel-hardening-checker

{{Draft}}

This process of building a '''custom configured kernel''' assumes you are running on Alpine Linux utilizing abuild & aports.

== But why? ==

You want to build a custom kernel to enable experimental hardware or features or outdated hardware, to reduce bloat further, to tune the kernel to the hardware.

The lts kernel for most Alpine ARCHs uses defaults to balance throughput at the expense of some responsiveness, and support for many devices. You can tweak the kernel for desktop use and low latency and responsiveness.

You should disable modules to increase security. By default, Alpine will install modules but not disable most of them. Disabling modules will reduce an DMA attack but not eliminate it completely. If you have a newer processor with VT-d, you can mitigate as long as you:

Leave <code>CONFIG_INTEL_IOMMU_DEFAULT_ON=y</code> or pass <code>intel_iommu=on</code> as a kernel parameter and disable kernel logging so the attacker doesn't gain DMAR address information through dmesg.[https://blog.frizk.net/2016/11/disable-virtualization-based-security.html] Also remove references to the kernel version to calculate the IOMMU addresses.[https://link.springer.com/content/pdf/10.1186/s13173-017-0066-7.pdf]

You may also want to harden your kernel by adding at least some of the config changes recommended by <code>kernel-hardening-checker</code> [https://github.com/a13xp0p0v/kernel-hardening-checker/]

To increase the security of the boot process, if you have a TPM, you could set <code>CONFIG_INTEL_TXT=y</code> (Enable Intel(R) Trusted Execution Technology (Intel(R) TXT)) (which is not enabled in the hardened kernel by default), then you would need the SINIT module (provided only by Intel)[https://software.intel.com/en-us/articles/intel-trusted-execution-technology], a possibly compiled TrustedGrub2[https://github.com/Rohde-Schwarz-Cybersecurity/TrustedGRUB2], trousers[https://sourceforge.net/projects/trousers/?source=navbar], tboot[https://sourceforge.net/projects/tboot/]. These packages are not in aports and it is unknown if these tools work on musl. It's not recommended for Edge. Also, there would be trigger packages to generate hashes for the kernel and the mkinitfs updates.

== Setting up the Alpine Build System ==

First, you need to follow the steps in [[Creating_an_Alpine_package#Setup_your_system_and_account|Setup your system and account for building packages]]. You also need to configure your {{path|/etc/apk/repositories}} so that they search locally for your apks. See [[Creating_an_Alpine_package#Testing_the_package_locally|Testing the package locally]] for details.

After setting up accounts and repos, change your shell's current working directory to '''aports''' that you just cloned.

{{cmd|$ cd aports}}

== Working with aports ==

We will try using an existing lts kernel just tweaking the {{path|lts.ARCH.config}} file.

=== Switching to the proper release version ===

You need to switch to the proper branch that matches the release so that the kernel compiles against the dependencies properly.

{| cellpadding="5" border="1" class="wikitable"
|-
! Alpine version
! Remote branch
|-
| Edge
| master
|-
| 3.17.0
| 3.17-stable
|-
|}

The following is required to get access to the {{path|APKBUILD}} released for that version of Alpine and which you will create a commit for.

If you are on 3.17 do:

{{cmd|$ git checkout -b 3.17-stable origin/3.17-stable}}

If you are on Edge do:

{{cmd|$ git checkout master}}

=== Creating your config ===

You can use {{pkg|linux-lts}} but what you should do is create a local branch by doing:

For Alpine Edge:

{{cmd|$ git checkout -b my-custom-kernel}}

For Alpine 3.17:

{{cmd|$ git checkout -b my-custom-kernel origin/3.17-stable}}

Doing it this way, you do less work in maintaining. All you need to do is keep ''master'' or ''3.17-stable'' in sync[https://help.github.com/articles/syncing-a-fork/][https://help.github.com/articles/configuring-a-remote-for-a-fork/] and merge any conflicts.

First switch to the branch by doing <code>git checkout my-custom-kernel</code>. Then, you need to navigate to the {{path|main/linux-lts}} folder where you should see a APKBUILD and some config- files. When you are done with your edits either by editing directly the APKBUILD and copying the {{path|lts.ARCH.config}} as {{path|.config}} in the {{path|linux-lts}} folder. You will then move the {{path|.config}} back overriding the {{path|lts.ARCH.config}} generated by <code>make menuconfig</code> (discussed below in the ''Configuring kernel'' section). After generating your config, you need to <code>abuild checksum</code>. Then, do <code>git add APKBUILD lts.ARCH.config</code> where ARCH is whatever architecture (x86, x86_64, ...) you use. Then, you need to do <code>git commit APKBUILD config-NAME.ARCH -m "Enabled these options ...."</code> for your customization the ARCHitecture of your system. You do this so that git can keep your code separate from Alpine's and so your changes float forward between kernel updates.

== Adding custom patches ==

Custom patches should be added to ''sources=''.

After you added the URL, you need to produce a checksum by doing <code>abuild checksum</code>.

The custom patches may not be autopatched, due to being distributed as an archive or different patch level, so you need to define what to do with it in the prepare().

== Configuring kernel ==

Attempt to build the kernel first. To do that, you do <code>abuild -rK</code> to install most of the dependencies. If it complains about a dependency like {{pkg|elfutils-dev}} use <code>-rKd</code>. Then, when it prompts for values for new found config options just hold enter till it starts compiling the kernel. There should be two sets one for -lts and the other for the -virt. Just {{Key|Ctrl}}+{{Key|C}} out of the compilation process after the second set so you can further customize the config. Then you go into the {{path|src/linux-VER}} and edit the config file. Copy the {{path|.config}} file overriding the {{path|lts.ARCH.config}} in the srcdir.

The alternative is to use the kernel configuration menu in the build-NAME folder, but before yo do that you need to <code>sudo apk add {{pkg|ncurses-dev}}</code>

After you are done using the menu in the build-NAME folder by doing <code>make menuconfig</code>, you want to remove <code>ncurses-dev</code>. When you are done, it will be stored in ''.config'' which you need to again override the {{path|lts.ARCH.config}} file. When you are done updating the {{path|config-NAME.ARCH}}, you need to do <code>abuild checksum</code>.

The options in the kernel config are typically defaults. If your device is old, it may be set to n by default.

=== Vanilla targets and tuning ===

{|cellpadding="5" border="1" class="wikitable"
!ARCH
!Processor Type / CPU Selection / System Type
!Code Generation / Instruction Extensions
!Timer Frequency
!Preemption Model
!Bitness
|-
|s390x
|IBM zEnterprise 114 and 196
|IBM zBC12 and zEC12 (<code>-march=zEC12 -mtune=zEC12</code>)
|1000 Hz
|No Forced Preemption (Server)
|64
|-
|ppc64le
|Server processors
|POWER8 (<code>-mcpu=power8</code>), AltiVec (<code>-Wa,-maltivec</code> to assembler or <code>-maltivec -mabi=altivec</code>), VSX
|1000 HZ
|No Forced Preemption (Server)
|64
|-
|ppc
|
512x/52xx/6xx/7xx/74xx/82xx/83xx/86xx
* Apple PowerMac based machines
|AltiVec (<code>-Wa,-maltivec</code> to assembler or <code>-maltivec -mabi=altivec</code>) on >=74xx
|1000 HZ
|No Forced Preemption (Server)
|32
|-
|x86_64
|Generic-x86-64
|(-mtune=generic ; SIMD assembly modules enabled based on simple compile test and/or presence of CPU flag)
|1000 HZ
|Voluntary Kernel Preemption (Desktop)
|64
|-
|x86
|586/K5/5x86/6x86/6x86MX
|(-mtune=generic ; SIMD assembly modules enabled based on simple compile test and/or presence of CPU flag)
|1000 HZ
|Voluntary Kernel Preemption (Desktop)
|32
|-
|armv7
|
* ARMv7 based platforms (Cortex-A, PJ4, Scorpion, Krait)
* Freescale i.MX family -- Cortex A (i.MX51, i.MX53, i.MX6 Quad/DualLite, i.MX6 SoloLite, i.MX6 SoloX, i.MX6 UltraLite, i.MX7 Dual)
* Qualcomm -- (MSM8X60, MSM8960, MSM8974)
* Allwinner SoCs -- (A10 (sun4i), A10s / A13 (sun5i), A31 (sun6i), A20 (sun7i), sun8i Family, (sun9i))
* ARM Ldt Versatile Express family --
|Either <code>-march=armv7-a</code> or <code>-march=armv5t -Wa,-march=armv7-a</code> based on a compile test. <code>-mfpu=vfp</code>
|1000 Hz
|Voluntary Kernel Preemption (Desktop)
|32
|-
|aarch64
|
* Allwinner sunxi 64-bit SoC Family
* Broadcom BCM2835 family
* Marvell Berlin SoC Family
* ARMv8 based Samsung Exynos SoC family
* ARMv8 based Freescale Layerscape SoC family
* Hisilicon SoC Family
* Mediatek MT65xx & MT81xx ARMv8 SoC
* Marvell EBU SoC Family
* Qualcomm Platforms
* Rockchip Platforms
* AMD Seattle SoC Family
* Altera's Stratix 10 SoCFPGA Family
* NVIDIA Tegra SoC Family
* Spreadtrum SoC platform
* Cavium Inc. Thunder SoC Family
* ARMv8 software model (Versatile Express)
* AppliedMicro X-Gene SOC Family
* Xilinx ZynqMP Family
|
|1000 HZ
|Voluntary Kernel Preemption (Desktop)
|64
|-
|}
If you do desktop multitasking, you may want to switch to Voluntary Kernel Preemption (Desktop) or Preemptible Kernel (Low-Latency Desktop) and up the Timer Frequency. If you run a dedicated render farm node or a dedicated bitcoin miner use No Forced Preemption (Server) and decrease the Timer Frequency.

Optimized modules (most are already compiled as modules):
* raid6 -- altivec, avx512, ssse3, avx2, mmx, sse, sse2, neon
* some operations of raid5 -- mmx (32 bit), sse (64 bit), avx
For Kernel API:
* 32-bit memcpy -- 3dnow
* 32-bit memory page clearing and copying -- sse (Athlon/K7 only), mmx
From x86/crypto, arm/crypto, powerpc/crypto:
* CAMELLIA -- avx2, avx, aes-ni
* CHACHA20 -- avx2, neon
* CAST5 -- avx
* CAST6 -- avx
* TWOFISH -- avx
* SERPENT -- avx2, avx, sse2
* SHA1 -- avx2, ssse3, neon, spe
* SHA2 -- avx2
* SHA256 -- ssse3, neon, spe
* SHA512 -- avx2, ssse3, neon
* POLY1305 -- avx2
* GHASH -- pclmulqdq (part of aes-ni), vmx (power8)
* AES -- aes-ni, neon, vmx (power8), spe
* CRC32 -- pclmulqdq, sse, neon, vmx (power8)
* CRCT10DIF -- pclmulqdq, sse, neon, vmx (power8)

=== Fast reboots with kexec ===
{{main|kexec}}

If you want to reboot the kernel fast avoiding the POST test, you need {{ic|doas apk add {{pkg|kexec-tools}}}} and enable kexec in the kernel:

Processor type and features
[*] kexec system call

=== Hibernation to prevent data loss ===

Power management and ACPI options
[*] Hibernation (aka 'suspend to disk')

Hibernation should be used if you have a laptop. You don't want the laptop to suddenly shut off resulting in data loss, you want it to save your work based on a percentage of battery life (this requires special script). When hibernation resumes, should lock and ask for credentials. Depending on your needs, the hibernated image can be encrypted/decrypted which again requires additional customization to scripts.

Hibernation with an unsanitized swap file is generally insecure because data and unlocked memory pages are swapped out in plaintext. To increase the security either disable swap or use an encrypted swap. The swap file/partition is typically used as the hibernation resume image.

== Building ==

Before building, you may want to remove as many modules as possible. This will reduce the time to compile greatly. Also, you may want to use [https://github.com/ccache/ccache/ ccache] for faster recompiles especially if you are searching for the minimal set of options or modules to use or include.

You should then do an <code>abuild -r</code> to attempt to build it.

== Installing ==

To install it you do a {{ic|doas apk add linux-NAME}} where NAME is your custom kernel name.

== Testing ==

Before you test, you should install the lts kernel too, using <code>apk add {{pkg|linux-lts}}</code>. You may be missing a module and can't boot, so you use the other kernel as the fallback boot kernel. Don't forget to update your bootloader configuration.

To test, first you should make a bootable Alpine USB image. Then, when you have your rescue USB done, you <code>reboot</code> the computer.

To test it, you basically do trial and error. Sometimes your config is missing something if you want to have a bare minimum setting.

If you are curious about correctness testing, some kernel modules or components do preform self tests at the beginning of the boot process. The tools may have test suites that you run with the make command.

== See Also ==
* [https://wiki.archlinux.org/title/Kernel Archwiki Kernels]
* [https://wiki.gentoo.org/wiki/Kernel Gentoo Wiki Kernel]
* [https://wiki.gentoo.org/wiki/Kernel/Configuration Gentoo Wiki Kernel Configuration]
* [[How to build the Alpine Linux kernel]]

[[Category:Kernel]]

Hyprland

2025-10-21T20:57:29Z

Pawciobiel: Update info about the setup

This wiki page is about [https://hyprland.org Hyprland], a [[wayland]] based tiling compositor with all the eyecandy, powerful plugins and much more.

Refer to [https://wiki.hyprland.org/Getting-Started/Master-Tutorial/ hyprland Tutorial] to get started on using Hyprland.

== Prerequisites ==
{{:Include:Desktop prerequisites}}
* Install [[Alpine_setup_scripts#setup-wayland-base|wayland-base]].This enables [[elogind]] as [[Seat manager|seat manager]], enables [[Repositories#Community|community repository]] and enables [[eudev]].

== Installation ==

To run the {{Pkg|hyprland|arch=}} nicely, it is likely that you will need at least those packages: {{Cmd|# apk add hyprland hyprland-plugin-manager hyprland-protocols \
hyprland-wallpapers wayland xwayland elogind elogind-openrc \
polkit-elogind polkit-openrc openrc-user-pam eudev \
eudev-openrc dbus dbus-openrc dbus-daemon-launch-helper pipewire \
pipewire-openrc pipewire-pulse pipewire-pulse-openrc \
wireplumber wireplumber-openrc
}}

Optionally {{Cmd|# apk add waybar hyprland-wallpapers \
hyprutils hyprcursor wlroots grim slurp \
wofi kitty dolphin
}}
Obviously there are other choices: `rofi`, `alacritty`, etc...

== Setup ==
As a bare minimum: {{Cmd|#setup-wayland-base}}

{{Pkg|openrc|arch=}} comes with "user services" so we can use it
to start required services when you login.

1) add user to ''seat'' group - required for elogind

2) add user to ''audio'', ''video'', ''pipewire'', ''input'' groups

3) create a symbolic link for user service {{Cmd|# /etc/init.d/user.$YOUR_USERNAME_HERE -> /etc/init.d/user}}

4) enable linger for your user
{{Cmd|# loginctl enable-linger $YOUR_USERNAME_HERE}}

5) Add required services to your user services
{{Cmd|$ ls -la /etc/user/init.d/}}
{{Cmd|$ rc-status --user}}
{{Cmd|$ for service in dbus wireplumber pipewire pipewire-pulse; do rc-update --user add "$service" && rc-service --user "$service" start; done}}

== Configuration ==

The default config is in {{Cmd|/usr/share/hypr/hyprland.conf}}
and based on that you may want to customize yours {{Cmd|~/.config/hypr/hyprland.conf}}

=== consistent icon theme ===

Depending on what applications you are running, you only need the HYPRCURSOR_THEME environment, it should work for all modern applications. But since you are reading this, you probably found an incompatible application. You have the option to disable hyprcursors, then you need only one theme. Otherwise you need to download a theme that is available as hyprcursors and xcursors (e.g. rose-pine-hyprcursor).

{{Cat|~/.config/hypr/hyprland.conf|<nowiki># Set the theme for most applications
env = HYPRCURSOR_THEME,$your_hyprcursor_theme
env = HYPRCURSOR_SIZE,24
# Set the theme for some Qt applications
env = XCURSOR_THEME,$your_xcursor_theme
env = XCURSOR_SIZE,24
# Set the theme for some GTK applications
exec-once = gsettings set org.gnome.desktop.interface cursor-theme $your_xcursor_theme
exec-once = gsettings set org.gnome.desktop.interface cursor-size 24</nowiki>}}

If you use gsettings make sure you have installed {{pkg|gsettings-desktop-schemas}} package.

== Plugins ==

=== hyprland-plugin-manager ===

From Alpine v3.22 on the ''hyprland-plugin-manager'' package is available. It installs the complete development-tree of hyprland, since it requires to compile hyprland. It is possible to uninstall ''hyprland-plugin-manager'' after the plugin is compiled.

=== hyrpland-plugins ===

From Alpine v3.23 (not yet released) on or on ''edge'' it is possible to install the [https://github.com/hyprwm/hyprland-plugins official plugins] as a [https://pkgs.alpinelinux.org/package/edge/community/x86_64/hyprland-plugins package]. Checkout the subpackages to install individual plugins.

=== loading plugins ===

{{Cat|~/.config/hypr/hyprland.conf|<nowiki>plugin = /usr/lib/libhyprexpo.so
plugin {
hyprexpo {
columns = 3
gap_size = 0
workspace_method = first 1
}
}
</nowiki>}}

This is also useful if you have uninstalled ''hyprland-plugin-manager'' and you can't load the plugin via it.

== Troubleshooting ==

=== Black/Magenta checkerboard background: Hyprland failed to load 1 essential asset ===

As of Hyprland 0.45.0, upstream shows a scary message (and an ugly graphic) if you don't have their wallpapers installed.

The ugly graphic goes away when you've launched a [https://wiki.hyprland.org/Useful-Utilities/Wallpapers/ wallpaper utility], but the scary message remains.

The canonical way to solve this is to install {{pkg|hyprland-wallpapers}} package using the command:

{{Cmd|# apk add hyprland-wallpapers}}

Or you can just have some file at {{Path|/usr/share/hypr/wall0.png}} or {{Path|/usr/local/share/hypr/wall0.png}} and modify your config file to have a line as follows: {{Cat|~/.config/hypr/hyprland.conf|<nowiki>misc {
force_default_wallpaper = 0
}</nowiki>}}

=== Hyprland crashes almost immediately ===

Hyprland 0.46 has a bug where the default configuration will crash if Xwayland is not installed. You can either install {{pkg|xwayland}}, or disable in your config:

{{Cat|~/.config/hypr/hyprland.conf|<nowiki>xwayland:enabled = false</nowiki>}}

This should be fixed in the next update.

=== warning message about hyprland-qtutils ===

Hyprland 0.46 and newer suggest you install hyprland-qtutils, which is currently not available in alpine.

<blockquote>Your system does not have hyprland-qtutils installed. This is a runtime dependency for some dialogs. Consider installing it.</blockquote>

You can disable the check in your config like so:

{{Cat|~/.config/hypr/hyprland.conf|<nowiki>misc:disable_hyprland_qtutils_check = true</nowiki>}}

=== DBUS_SESSION_BUS_ADDRESS unset ===

If you're using login manager, create a copy of {{ic|/usr/share/wayland-sessions/hyprland.desktop}} that starts Hyprland within D-Bus session:

Exec=dbus-run-session -- Hyprland

Also make sure that D-Bus is started as a system service.

== See Also ==

* [https://wiki.hyprland.org Official Hyprland wiki]

[[Category:compositor]]

Hyprland

2025-10-21T20:30:37Z

Pawciobiel: update info about configuration file

This wiki page is about [https://hyprland.org Hyprland], a [[wayland]] based tiling compositor with all the eyecandy, powerful plugins and much more.

Refer to [https://wiki.hyprland.org/Getting-Started/Master-Tutorial/ hyprland Tutorial] to get started on using Hyprland.

== Prerequisites ==
{{:Include:Desktop prerequisites}}
* Install [[Alpine_setup_scripts#setup-wayland-base|wayland-base]].This enables [[elogind]] as [[Seat manager|seat manager]], enables [[Repositories#Community|community repository]] and enables [[eudev]].

== Installation ==

To run the {{Pkg|hyprland|arch=}} nicely, it is likely that you will need at least those packages: {{Cmd|# apk add hyprland hyprland-plugin-manager hyprland-protocols \
hyprland-wallpapers wayland xwayland elogind elogind-openrc \
polkit-elogind polkit-openrc openrc-user-pam eudev \
eudev-openrc dbus dbus-openrc dbus-daemon-launch-helper pipewire \
pipewire-openrc pipewire-pulse pipewire-pulse-openrc \
wireplumber wireplumber-openrc
}}

Optionally {{Cmd|# apk add waybar hyprland-wallpapers \
hyprutils hyprcursor wlroots grim slurp \
wofi kitty dolphin
}}
Obviously there are other choices: `rofi`, `alacritty`, etc...

== Configuration ==

=== consistent icon theme ===

The default config is in ''/usr/share/hypr/hyprland.conf''
and based on that you may want to customize yours ''~/.config/hypr/hyprland.conf''.

Depending on what applications you are running, you only need the HYPRCURSOR_THEME environment, it should work for all modern applications. But since you are reading this, you probably found an incompatible application. You have the option to disable hyprcursors, then you need only one theme. Otherwise you need to download a theme that is available as hyprcursors and xcursors (e.g. rose-pine-hyprcursor).

{{Cat|~/.config/hypr/hyprland.conf|<nowiki># Set the theme for most applications
env = HYPRCURSOR_THEME,$your_hyprcursor_theme
env = HYPRCURSOR_SIZE,24
# Set the theme for some Qt applications
env = XCURSOR_THEME,$your_xcursor_theme
env = XCURSOR_SIZE,24
# Set the theme for some GTK applications
exec-once = gsettings set org.gnome.desktop.interface cursor-theme $your_xcursor_theme
exec-once = gsettings set org.gnome.desktop.interface cursor-size 24</nowiki>}}

If you use gsettings make sure you have installed {{pkg|gsettings-desktop-schemas}} package.

== Plugins ==

=== hyprland-plugin-manager ===

From Alpine v3.22 on the ''hyprland-plugin-manager'' package is available. It installs the complete development-tree of hyprland, since it requires to compile hyprland. It is possible to uninstall ''hyprland-plugin-manager'' after the plugin is compiled.

=== hyrpland-plugins ===

From Alpine v3.23 (not yet released) on or on ''edge'' it is possible to install the [https://github.com/hyprwm/hyprland-plugins official plugins] as a [https://pkgs.alpinelinux.org/package/edge/community/x86_64/hyprland-plugins package]. Checkout the subpackages to install individual plugins.

=== loading plugins ===

{{Cat|~/.config/hypr/hyprland.conf|<nowiki>plugin = /usr/lib/libhyprexpo.so
plugin {
hyprexpo {
columns = 3
gap_size = 0
workspace_method = first 1
}
}
</nowiki>}}

This is also useful if you have uninstalled ''hyprland-plugin-manager'' and you can't load the plugin via it.

== Troubleshooting ==

=== Black/Magenta checkerboard background: Hyprland failed to load 1 essential asset ===

As of Hyprland 0.45.0, upstream shows a scary message (and an ugly graphic) if you don't have their wallpapers installed.

The ugly graphic goes away when you've launched a [https://wiki.hyprland.org/Useful-Utilities/Wallpapers/ wallpaper utility], but the scary message remains.

The canonical way to solve this is to install {{pkg|hyprland-wallpapers}} package using the command:

{{Cmd|# apk add hyprland-wallpapers}}

Or you can just have some file at {{Path|/usr/share/hypr/wall0.png}} or {{Path|/usr/local/share/hypr/wall0.png}} and modify your config file to have a line as follows: {{Cat|~/.config/hypr/hyprland.conf|<nowiki>misc {
force_default_wallpaper = 0
}</nowiki>}}

=== Hyprland crashes almost immediately ===

Hyprland 0.46 has a bug where the default configuration will crash if Xwayland is not installed. You can either install {{pkg|xwayland}}, or disable in your config:

{{Cat|~/.config/hypr/hyprland.conf|<nowiki>xwayland:enabled = false</nowiki>}}

This should be fixed in the next update.

=== warning message about hyprland-qtutils ===

Hyprland 0.46 and newer suggest you install hyprland-qtutils, which is currently not available in alpine.

<blockquote>Your system does not have hyprland-qtutils installed. This is a runtime dependency for some dialogs. Consider installing it.</blockquote>

You can disable the check in your config like so:

{{Cat|~/.config/hypr/hyprland.conf|<nowiki>misc:disable_hyprland_qtutils_check = true</nowiki>}}

=== DBUS_SESSION_BUS_ADDRESS unset ===

If you're using login manager, create a copy of {{ic|/usr/share/wayland-sessions/hyprland.desktop}} that starts Hyprland within D-Bus session:

Exec=dbus-run-session -- Hyprland

Also make sure that D-Bus is started as a system service.

== See Also ==

* [https://wiki.hyprland.org Official Hyprland wiki]

[[Category:compositor]]

Hyprland

2025-10-21T20:22:58Z

Pawciobiel: Update installation with most recent packages on alpine 3.22

This wiki page is about [https://hyprland.org Hyprland], a [[wayland]] based tiling compositor with all the eyecandy, powerful plugins and much more.

Refer to [https://wiki.hyprland.org/Getting-Started/Master-Tutorial/ hyprland Tutorial] to get started on using Hyprland.

== Prerequisites ==
{{:Include:Desktop prerequisites}}
* Install [[Alpine_setup_scripts#setup-wayland-base|wayland-base]].This enables [[elogind]] as [[Seat manager|seat manager]], enables [[Repositories#Community|community repository]] and enables [[eudev]].

== Installation ==

To run the {{Pkg|hyprland|arch=}} nicely, it is likely that you will need at least those packages: {{Cmd|# apk add hyprland hyprland-plugin-manager hyprland-protocols \
hyprland-wallpapers wayland xwayland elogind elogind-openrc \
polkit-elogind polkit-openrc openrc-user-pam eudev \
eudev-openrc dbus dbus-openrc dbus-daemon-launch-helper pipewire \
pipewire-openrc pipewire-pulse pipewire-pulse-openrc \
wireplumber wireplumber-openrc
}}

Optionally {{Cmd|# apk add waybar hyprland-wallpapers \
hyprutils hyprcursor wlroots grim slurp \
wofi kitty dolphin
}}
Obviously there are other choices: `rofi`, `alacritty`, etc...

== Configuration ==

=== consistent icon theme ===

Depending on what applications you are running, you only need the HYPRCURSOR_THEME environment, it should work for all modern applications. But since you are reading this, you probably found an incompatible application. You have the option to disable hyprcursors, then you need only one theme. Otherwise you need to download a theme that is available as hyprcursors and xcursors (e.g. rose-pine-hyprcursor).

{{Cat|~/.config/hypr/hyprland.conf|<nowiki># Set the theme for most applications
env = HYPRCURSOR_THEME,$your_hyprcursor_theme
env = HYPRCURSOR_SIZE,24
# Set the theme for some Qt applications
env = XCURSOR_THEME,$your_xcursor_theme
env = XCURSOR_SIZE,24
# Set the theme for some GTK applications
exec-once = gsettings set org.gnome.desktop.interface cursor-theme $your_xcursor_theme
exec-once = gsettings set org.gnome.desktop.interface cursor-size 24</nowiki>}}

If you use gsettings make sure you have installed {{pkg|gsettings-desktop-schemas}} package.

== Plugins ==

=== hyprland-plugin-manager ===

From Alpine v3.22 on the ''hyprland-plugin-manager'' package is available. It installs the complete development-tree of hyprland, since it requires to compile hyprland. It is possible to uninstall ''hyprland-plugin-manager'' after the plugin is compiled.

=== hyrpland-plugins ===

From Alpine v3.23 (not yet released) on or on ''edge'' it is possible to install the [https://github.com/hyprwm/hyprland-plugins official plugins] as a [https://pkgs.alpinelinux.org/package/edge/community/x86_64/hyprland-plugins package]. Checkout the subpackages to install individual plugins.

=== loading plugins ===

{{Cat|~/.config/hypr/hyprland.conf|<nowiki>plugin = /usr/lib/libhyprexpo.so
plugin {
hyprexpo {
columns = 3
gap_size = 0
workspace_method = first 1
}
}
</nowiki>}}

This is also useful if you have uninstalled ''hyprland-plugin-manager'' and you can't load the plugin via it.

== Troubleshooting ==

=== Black/Magenta checkerboard background: Hyprland failed to load 1 essential asset ===

As of Hyprland 0.45.0, upstream shows a scary message (and an ugly graphic) if you don't have their wallpapers installed.

The ugly graphic goes away when you've launched a [https://wiki.hyprland.org/Useful-Utilities/Wallpapers/ wallpaper utility], but the scary message remains.

The canonical way to solve this is to install {{pkg|hyprland-wallpapers}} package using the command:

{{Cmd|# apk add hyprland-wallpapers}}

Or you can just have some file at {{Path|/usr/share/hypr/wall0.png}} or {{Path|/usr/local/share/hypr/wall0.png}} and modify your config file to have a line as follows: {{Cat|~/.config/hypr/hyprland.conf|<nowiki>misc {
force_default_wallpaper = 0
}</nowiki>}}

=== Hyprland crashes almost immediately ===

Hyprland 0.46 has a bug where the default configuration will crash if Xwayland is not installed. You can either install {{pkg|xwayland}}, or disable in your config:

{{Cat|~/.config/hypr/hyprland.conf|<nowiki>xwayland:enabled = false</nowiki>}}

This should be fixed in the next update.

=== warning message about hyprland-qtutils ===

Hyprland 0.46 and newer suggest you install hyprland-qtutils, which is currently not available in alpine.

<blockquote>Your system does not have hyprland-qtutils installed. This is a runtime dependency for some dialogs. Consider installing it.</blockquote>

You can disable the check in your config like so:

{{Cat|~/.config/hypr/hyprland.conf|<nowiki>misc:disable_hyprland_qtutils_check = true</nowiki>}}

=== DBUS_SESSION_BUS_ADDRESS unset ===

If you're using login manager, create a copy of {{ic|/usr/share/wayland-sessions/hyprland.desktop}} that starts Hyprland within D-Bus session:

Exec=dbus-run-session -- Hyprland

Also make sure that D-Bus is started as a system service.

== See Also ==

* [https://wiki.hyprland.org Official Hyprland wiki]

[[Category:compositor]]

LVM on LUKS

2021-01-15T21:51:20Z

Pawciobiel: Add note about volumes within main encrypted partition

= Introduction =

This documentation describes how to set up Alpine Linux on a fully encrypted disk (apart from the bootloader's partition). We will have an LVM container installed inside an encrypted partition. To encrypt the partition containing the LVM volume group, dm-crypt (which is managed by the <code>cryptsetup</code> command) and its LUKS subsystem is used.

Note that your <code>/boot/</code> partition must be non-encrypted to work with Syslinux. When using GRUB2 it is possible to boot from an encrypted partition to provide a layer of protection from [https://en.wikipedia.org/wiki/Evil_maid_attack Evil Maid attacks], but Syslinux doesn't support this.

== Storage Device Name ==

To find your storage device's name, you could either install <code>util-linux</code> (<code>apk add util-linux</code>) and find your device using the <code>lspci</code> command, or you could make an educated guess by using BusyBox's <code>blkid</code> and <code>df</code> commands, and running <code>ls /dev/sd*</code> if you are installing to a USB, SATA or SCSI device, <code>ls /dev/fd*</code> for floppy disks and <code>ls /dev/hd*</code> for IDE (PATA) devices.

The following documentation uses the <code>/dev/sda</code> device as installation destination. If your environment uses a different device name for your storage device, use the corresponding device names in the examples.

= Setting up Alpine Linux Using LVM on Top of a LUKS Partition =

To install Alpine Linux in logical volumes running on top of a LUKS encrypted partition, you cannot use the [[Installation|official installation]] procedure. The installation requires several manual steps you must run in the Alpine Linux Live CD environment.

== Preparing the Temporary Installation Environment ==

Before you begin to install Alpine Linux, prepare the temporary environment:

Boot the latest Alpine Linux Installation CD. At the login prompt, use the <code>root</code> user without a password to log in. Now we will follow the [[Setup-alpine]] script and make our changes along the way.

Run the scripts in this order:

<pre># setup-keymap
# setup-hostname
# setup-interfaces
# rc-service networking start</pre>

If you are configuring static networking (you didn't configure any interfaces to use DHCP), run <code>setup-dns</code>.

If you are using Wi-Fi you may need to do run <code>rc-update add wpa_supplicant boot</code>.

<pre># passwd
# setup-timezone
# rc-update add networking boot
# rc-update add urandom boot
# rc-update add acpid default
# rc-service acpid start</pre>

Edit your {{Path|/etc/hosts}} to look like this, replacing <hostname> with your hostname and <domain> with your TLD (if you don't have a TLD, use 'localdomain':
{{Tip|The default text editor in BusyBox is <code>vi</code> (pronounced ''vee-eye'').}}
{{Cat|/etc/hosts|127.0.0.1 <hostname> <hostname>.<domain> localhost localhost.localdomain
::1 <hostname> <hostname>.<domain> localhost localhost.localdomain}}

{{Note|In order to setup GRUB with UEFI, you are required to use the edge branch with the main and community repository. The reason for this is that <code>efibootmgr</code> is not available in the stable branch. If you do not want to switch completely over to edge you can do something called repository pinning. You will need to do this after the <code>setup-apkrepos</code> step.}}

<pre># setup-apkrepos
# apk update
# setup-sshd
# setup-ntp</pre>

Now we will deviate from the install script.

Install the following packages required to set up LVM and LUKS:

{{Note|The <code>parted</code> partition editor is needed for advanced partitioning and GPT disklabels. BusyBox <code>fdisk</code> is a very stripped-down version with minimal functionality}}

<pre># apk add lvm2 cryptsetup e2fsprogs parted</pre>

Optionally, if you want to overwrite your storage with random data first, install <code>haveged</code>, which is a random number generator based on hardware events and has a higher throughput than <code>/dev/urandom</code>:

<pre># apk add haveged
# rc-service haveged start</pre>

== Creating the Partition Layout ==

Depending on your motherboard and bios features and configuration
we can either use partition table in MBR (legacy BIOS)
or GUID Partition Table (GPT).
Here we will describe those two with example layouts.

=== BIOS/MBR with DOS disklabel ===

We will be partitioning the storage device with a non-encrypted <code>/boot</code> partition for use with the Syslinux bootloader. Syslinux is meant for use with legacy BIOS and the MSDOS MBR partition table. Syslinux does support GPT partition tables but GRUB2 is the better option for UEFI (UEFI is only possible with GPT).

<pre>+---------------------------+------------------------+-----------------------+
| Partition name | Partition purpose | Filesystem type |
+---------------------------+------------------------+-----------------------+
| /dev/sda1 | Boot partition | ext4 |
| /dev/sda2 | LUKS container | LUKS |
| |-> /dev/mapper/lvmcrypt | LVM container | LVM |
| |-> /dev/vg01/root | Root partition | ext4 |
| |-> /dev/vg01/swap | Swap partition | swap |
+---------------------------+------------------------+-----------------------+</pre>

{{Warning|This will delete your previous partitioning table and make your data very hard to recover. If you want to dual boot, stop here and ask an expert.}}

Create an approx. 100MB partition to boot off, then assign the rest of the space to your LUKS partition.

<pre># parted -a optimal
(parted) mklabel msdos
(parted) mkpart primary ext4 0% 100M
(parted) name 1 boot
(parted) set 1 boot on
(parted) mkpart primary ext4 100M 100%
(parted) name 2 crypto-luks</pre>

To view your partition table, type <code>print</code> while still in <code>parted</code>. Your results should look something like this:
<pre>(parted) print
Model: ATA TOSHIBA ******** (scsi)
Disk /dev/sda: 1000GB
Sector size (logical/physical): 512B/4096B
Partition Table: msdos
Disk Flags:

Number Start End Size Type File system Flags
1 1049kB 99.6MB 98.6MB primary ext4 boot
2 99.6MB 1000GB 1000GB primary ext4</pre>

=== UEFI with GPT disklabel ===

We will be encrypting the whole disk but the EFI system partition mounted at <code>/boot/efi</code>. This means that GRUB2 will decrypt the LUKS volume and load the kernel from there, preventing someone with physical access to your computer from maliciously installing a rootkit (or bootkit) in your boot partition while your computer is not already unlocked. The partitioning scheme will look like this:

<pre>+---------------------------+------------------------+-----------------------+
| Partition name | Partition purpose | Filesystem type |
+---------------------------+------------------------+-----------------------+
| /dev/sda1 | EFI system partition | fat32 |
| /dev/sda2 | LUKS container | LUKS |
| |-> /dev/mapper/lvmcrypt | LVM container | LVM |
| |-> /dev/vg01/root | Root partition | ext4 |
| |-> /dev/vg01/boot | Boot partition | ext4 |
| |-> /dev/vg01/swap | Swap partition | swap |
+---------------------------+------------------------+-----------------------+</pre>

{{Warning|This will delete your previous partitioning table and make your data very hard to recover. If you want to dual boot, stop here and ask an expert.}}

Create an approx. 200MB EFI system partition, then assign the rest of the space to your LUKS partition.

<pre># parted -a optimal
(parted) mklabel gpt
(parted) mkpart primary fat32 0% 200M
(parted) name 1 esp
(parted) set 1 esp on
(parted) mkpart primary ext4 200M 100%
(parted) name 2 crypto-luks</pre>

== Optional: Overwrite LUKS Partition with Random Data ==

This should be done if your hard drive wasn't encrypted previously. It helps purge old, non-encrypted data and makes it harder for an attacker to work out how much data you have on your drive if they have access to the encrypted contents.

We will be using <code>haveged</code> as it is considerably faster than <code>/dev/urandom</code> when generating pseudo-random numbers (it's almost as high as <code>/dev/zero</code> in throughput), and is (supposedly) very close to truly random.

<pre># haveged -n 0 | dd of=/dev/sda2</pre>

== Encrypting the LVM Physical Volume Partition ==

To encrypt the partition which will later contain the LVM PV, you could either use the default settings (aes-xts-plain64 cipher with 256-bit key and Argon2 hashing with iter-time 2000ms), or you could use these settings which have added security with the trade-off being a non-noticeable decrease in performance in modern computers:

Default settings:

<pre># cryptsetup luksFormat /dev/sda2</pre>

Optimized for security:

<pre># cryptsetup -v -c serpent-xts-plain64 -s 512 --hash whirlpool --iter-time 5000 --use-random luksFormat /dev/sda2</pre>

If using at least Alpine v3.11 and GRUB2 with encrypted /boot, the following should be used instead (because GRUB2 does not yet support LUKS2 containers):

<pre># cryptsetup luksFormat --type luks1 /dev/sda2</pre>

== Creating the Logical Volumes and File Systems ==

Open the LUKS partition:

<pre># cryptsetup luksOpen /dev/sda2 lvmcrypt</pre>

Create the PV on <code>lvmcrypt</code>:

<pre># pvcreate /dev/mapper/lvmcrypt</pre>

Create the <code>vg0</code> LVM VG in the <code>/dev/mapper/lvmcrypt</code> PV:

<pre># vgcreate vg0 /dev/mapper/lvmcrypt</pre>

=== LV Creation for BIOS/MBR ===

This will create a 2GB swap partition and a root partition which takes up the rest of the space. This setup is for those who do not need to use the hibernate/suspend to disk state. If you do need to suspend to disk, create a swap partition slightly larger than the size of your RAM (change the size after <code># lvcreate -L</code>).

<pre># lvcreate -L 2G vg0 -n swap
# lvcreate -l 100%FREE vg0 -n root</pre>

The LVs created in the previous steps are automatically marked active. To verify, enter:

<pre># lvscan</pre>

=== LV Creation for UEFI/GPT ===

This will create a 2GB swap partition, a 2GB boot partition and a root partition which takes up the rest of the space. This setup is for those who do not need to use the hibernate/suspend to disk state. If you do need to suspend to disk, create a swap partition slightly larger than the size of your RAM (change the size after <code># lvcreate -L</code>).

<pre># lvcreate -L 2G vg0 -n swap
# lvcreate -L 2G vg0 -n boot
# lvcreate -l 100%FREE vg0 -n root</pre>

The LVs created in the previous steps are automatically marked active. To verify, enter:

<pre># lvscan</pre>

== Creating and Mounting the File Systems ==

Format the <code>root</code> and <code>boot</code> LVs using the ext4 file system:

<pre># mkfs.ext4 /dev/vg0/root</pre>

Format the swap LV:

<pre># mkswap /dev/vg0/swap</pre>

Before you can install Alpine Linux, you must mount the partitions and LVs. Mount the root LV to the <code>/mnt/</code> directory:

<pre># mount -t ext4 /dev/vg0/root /mnt/</pre>

Next format your boot partition, create a mount point and mount it:

* If you're using BIOS and MBR:

<pre># mkfs.ext4 /dev/sda1
# mkdir -v /mnt/boot
# mount -t ext4 /dev/sda1 /mnt/boot</pre>

* If you're using UEFI and GPT:

<pre># apk add dosfstools
# mkfs.fat -F32 /dev/sda1
# mkfs.ext4 /dev/vg0/boot
# mkdir -v /mnt/boot
# mount -t ext4 /dev/vg0/boot /mnt/boot
# mkdir -v /mnt/boot/efi
# mount -t vfat /dev/sda1 /mnt/boot/efi</pre>

Lastly, activate your swap partition:

<pre># swapon /dev/vg0/swap</pre>

== Installing Alpine Linux ==

In this step you will install Alpine Linux in the <code>/mnt/</code> directory, which contains the mounted file system structure:

<pre># setup-disk -m sys /mnt/</pre>

The installer downloads the latest packages to install the base installation. Additionally, the installer automatically creates the entries for the mount points in {{Path|/etc/fstab}} file, which is currently mounted in the <code>/mnt/</code> directory.

{{Note|The automatic writing of the master boot record (MBR) fails in this step. You will write the MBR later manually to the disk.}}

The swap LV is not automatically added to the <code>fstab</code> file. To add it manually, add the following line to the {{Path|/mnt/etc/fstab}} file:

<pre>/dev/vg0/swap swap swap defaults 0 0</pre>

Edit the {{Path|/mnt/etc/mkinitfs/mkinitfs.conf}} file and append the <code>cryptsetup</code> module to the <code>features</code> parameter:

<pre>features="... cryptsetup"</pre>

If you are using GRUB with an encrypted <code>/boot</code> you must add the <code>cryptkey</code> feature so that Alpine can use a keyfile for decryption on boot.

{{Note|Alpine Linux uses the <code>en-us</code> keyboard mapping by default when prompting for the password to decrypt the partition at boot time. If you changed the keyboard mapping in the temporary environment and want to use it at the boot password prompt, be sure to also add the <code>keymap</code> feature to the list above.}}

{{Note|Check the output of <code>mkinitfs -L</code> and add the features necessary for your system to boot. You may need to add <code>kms</code> in order to see a password prompt at boot. You may also need: <code>usb</code>, <code>lvm</code>, <code>ext4</code>...}}

Rebuild the initial RAM disk:

<pre># mkinitfs -c /mnt/etc/mkinitfs/mkinitfs.conf -b /mnt/ $(ls /mnt/lib/modules/)</pre>

The command uses the settings from the <code>mkinitfs.conf</code> file set in the <code>-c</code> parameter to generate the RAM disk. The command is executed in the <code>/mnt/</code> directory and the RAM disk is generated using the modules for the installed kernel. Without setting the kernel version using the <code>$(ls /mnt/lib/modules/</code>) option, <code>mkinitfs</code> tries to generate the RAM disk using the kernel version installed in the temporary environment, which can differ from the latest one installed by the <code>setup-disk</code> utility.

== Installing a bootloader ==

To get the UUID of your storage device into a file for later use, use this command:

<pre># blkid -s UUID -o value /dev/sda2 > ~/uuid</pre>

{{Tip|To easily read the UUID into a file so you don't have to type it manually, open the file in <code>vi</code>, then type <code>:r /root/uuid</code> to load the UUID onto a new line.}}

=== Syslinux with BIOS ===

Install the Syslinux package:

<pre># apk add syslinux</pre>

Edit {{Path|/mnt/etc/update-extlinux.conf}} and append the following kernel options to the <code>default_kernel_opts</code> parameter, replacing <UUID> with the UUID of <code>/dev/sda2</code>:

<pre>default_kernel_opts="... cryptroot=UUID=<UUID of sda2> cryptdm=lvmcrypt"</pre>

The <code>cryptroot</code> parameter sets the ID of the device/partition that contains encrypted volumes, and the <code>cryptdm</code> parameter uses the name of the mapping we have already configured a few lines above.

We can also double check if <code>modules</code> and <code>root</code> are set correctly, eg:
<pre>
modules=sd-mod,usb-storage,ext4,cryptsetup,keymap,cryptkey,kms,lvm
root=UUID=<UUID of /dev/mapper/vg0-root>
</pre>

Because the <code>update-extlinux</code> utility operates only on the <code>/boot/</code> directory, temporarily change the root to the <code>/mnt/</code> directory and update the boot loader configuration:

<pre># chroot /mnt/
# update-extlinux
# exit</pre>

: Because we didn't mount <code>/dev</code> nor <code>/proc</code> inside our <code>/mnt/</code> chroot, some errors may occur when we run <code>update-extlinux</code> command. But you can most likely ignore these.

Write the MBR (without partition table) to the <code>/dev/sda</code> device:

<pre># dd bs=440 count=1 conv=notrunc if=/mnt/usr/share/syslinux/mbr.bin of=/dev/sda</pre>

=== Grub with UEFI ===

To avoid having to type your decryption password twice every boot (once for GRUB and once for Alpine), add a keyfile to your LUKS partition. The filename is important.

<pre># dd bs=512 count=4 if=/dev/urandom of=/mnt/crypto_keyfile.bin
# cryptsetup luksAddKey /dev/sda2 /mnt/crypto_keyfile.bin
</pre>

This keyfile is stored encrypted at rest (it is in your LUKS partition), so it's existence does not reduce the security of the system.

Mount the required filesystems for the Grub EFI installer to the installation:

<pre># mount -t proc /proc /mnt/proc
# mount --rbind /dev /mnt/dev
# mount --make-rslave /mnt/dev
# mount --rbind /sys /mnt/sys</pre>

Then chroot in and use <code>grub-install</code> to install Grub.

<pre># chroot /mnt
# source /etc/profile
# export PS1="(chroot) $PS1"</pre>

Install <code>GRUB2</code> for EFI and (optionally) remove syslinux:

<pre># apk add grub grub-efi efibootmgr
# apk del syslinux</pre>

Edit {{Path|/etc/default/grub}} and add the following kernel options to the <code>GRUB_CMDLINE_LINUX_DEFAULT</code> parameter, replacing <UUID> with the UUID of the encrypted partition (in this case, <code>/dev/sda2</code>):

<pre>cryptroot=UUID=<UUID> cryptdm=lvmcrypt cryptkey</pre>

The <code>cryptroot</code> parameter sets the ID of the device/partition that contains encrypted volumes, and the <code>cryptdm</code> parameter uses the name of the mapping we have already configured a few lines above.
The <code>cryptkey</code> parameter indicates the existence of the file <code>/crypto_keyfile.bin</code> you created previously.

To enable GRUB to decrypt LUKS partitions and read LVM volumes add:

<pre>GRUB_PRELOAD_MODULES="luks cryptodisk part_gpt lvm"</pre>

If using at least Alpine v3.11, <code>GRUB_ENABLE_CRYPTODISK=y</code> should also be added to {{Path|/etc/default/grub}}.

<pre># (chroot) grub-install --target=x86_64-efi --efi-directory=/boot/efi
# (chroot) grub-mkconfig -o /boot/grub/grub.cfg
# (chroot) exit</pre>

== Unmounting the Volumes and Partitions ==

Unmount the <code>/mnt/</code> partitions, deactivate the LVM volumes, close the LUKS partition and reboot:

<pre># cd
# umount -l /mnt/dev
# umount -l /mnt/proc
# umount -l /mnt/sys
# umount /mnt/boot/efi
# umount /mnt/boot
# swapoff /dev/vg0/swap
# umount /mnt
# vgchange -a n
# cryptsetup luksClose lvmcrypt
# reboot</pre>

= Troubleshooting =

== General Procedure ==

In case your system fails to boot, you can verify the settings and fix incorrect configurations.

Reboot and do the steps in [[#Preparing_the_Temporary_Installation_Environment|Prepare the temporary installation environment]] again.

Setup the LUKS partition and activate the LVs:

<pre># cryptsetup luksOpen /dev/sda2
# vgchange -ay</pre>

[[#Creating_and_Mounting_the_File Systems|Mount the file systems]]

Verify that you run the steps described in the [[#Installing_Alpine_Linux|Installing Alpine Linux]] section correctly. Update the configuration if necessary, unmount the partitions, then reboot.

== System can't find boot device ==

* GPT partition table on a motherboard that runs BIOS instead of UEFI
* running an MSDOS/MBR/Syslinux install without enabling legacy boot mode in the UEFI settings

== I see "can not mount /sysroot" during boot ==

* incorrect device UUID
* missing module in <code>/mnt/etc/update-extlinux.conf</code> or <code>/mnt/etc/mkinitfs/mkinitfs.conf</code>

== Secure boot ==

If secure boot complains of an unsigned bootloader, you can either disable it or adapt [https://wiki.archlinux.org/index.php/Secure_Boot this] guide to sign GRUB. If you're using Syslinux, then secure boot should be automatically disabled when you enable legacy boot mode.

= Hardening =

* To harden, you should disable DMA[https://old.iseclab.org/papers/acsac2012dma.pdf] and install a hardened version of AES (TRESOR[https://www1.informatik.uni-erlangen.de/tresor] or Loop-Amnesia[http://moongate.ydns.eu/amnesia.html]) since by default cryptsetup with luks uses AES by default.
* Disable DMA in the BIOS and set the password for the BIOS according to Wikipedia.[https://en.wikipedia.org/wiki/DMA_attack]
* Blacklist kernel modules that use DMA and any unused expansion modules (FireWire, CardBus, ExpressCard, Thunderbolt, USB 3.0, PCI Express and hotplug modules) that use DMA.

= Mounting additional encrypted filesystems at boot =

If you would like other encrypted LUKS partitions to be decrypted and mounted automatically during boot, for example if you have <code>/home</code> on a separate physical drive, some extra steps are required.
{{Note|This does not apply for volumes
within your main encrypted partition <code>/dev/sda2</code>}}
For the purposes of these instructions we will say <code>/dev/sdb1</code> contains an LVM volume that should be mounted at <code>/home</code>.

Create a keyfile and add it to the LUKS partition:

<pre># dd bs=512 count=4 if=/dev/urandom of=/root/crypt-home-keyfile.bin
# cryptsetup luksAddKey /dev/sdb1 /root/crypt-home-keyfile.bin
</pre>

Alpine, like Gentoo, uses the <code>dmcrypt</code> service rather than <code>/etc/crypttab</code>. Add the following lines to <code>/etc/conf.d/dmcrypt</code>:

<pre>target=crypt-home
source='/dev/sdb1'
key='/root/crypt-home-keyfile.bin'
</pre>

Add an entry to <code>/etc/fstab</code>, changing <code>vg1</code> to the name of your LVM volume group:

<pre>/dev/vg1/home /home ext4 rw,relatime 0 2</pre>

Enable the dmcrypt and lvm services to start on boot:

<pre># rc-update add dmcrypt boot
# rc-update add lvm boot
</pre>

After a reboot the partition should be decrypted and mounted automatically.

= See also =
*[[Bootloaders]]
*[[Alpine setup scripts]]
*[[Installing on GPT LVM]]
*[[Setting up LVM on GPT-labeled disks]]
*[[Setting up disks manually]]
*https://wiki.gentoo.org/wiki/Syslinux
*https://wiki.gentoo.org/wiki/GRUB2
*https://wiki.archlinux.org/index.php/Syslinux
*https://wiki.archlinux.org/index.php/GRUB
*https://wiki.gentoo.org/wiki/Sakaki's_EFI_Install_Guide
*https://battlepenguin.com/tech/alpine-linux-with-full-disk-encryption/
*https://wiki.gentoo.org/wiki/Dm-crypt

[[Category:Storage]]
[[Category:Security]]

LVM on LUKS

2021-01-15T21:39:22Z

Pawciobiel: add info about can not mount /sysroot

= Introduction =

This documentation describes how to set up Alpine Linux on a fully encrypted disk (apart from the bootloader's partition). We will have an LVM container installed inside an encrypted partition. To encrypt the partition containing the LVM volume group, dm-crypt (which is managed by the <code>cryptsetup</code> command) and its LUKS subsystem is used.

Note that your <code>/boot/</code> partition must be non-encrypted to work with Syslinux. When using GRUB2 it is possible to boot from an encrypted partition to provide a layer of protection from [https://en.wikipedia.org/wiki/Evil_maid_attack Evil Maid attacks], but Syslinux doesn't support this.

== Storage Device Name ==

To find your storage device's name, you could either install <code>util-linux</code> (<code>apk add util-linux</code>) and find your device using the <code>lspci</code> command, or you could make an educated guess by using BusyBox's <code>blkid</code> and <code>df</code> commands, and running <code>ls /dev/sd*</code> if you are installing to a USB, SATA or SCSI device, <code>ls /dev/fd*</code> for floppy disks and <code>ls /dev/hd*</code> for IDE (PATA) devices.

The following documentation uses the <code>/dev/sda</code> device as installation destination. If your environment uses a different device name for your storage device, use the corresponding device names in the examples.

= Setting up Alpine Linux Using LVM on Top of a LUKS Partition =

To install Alpine Linux in logical volumes running on top of a LUKS encrypted partition, you cannot use the [[Installation|official installation]] procedure. The installation requires several manual steps you must run in the Alpine Linux Live CD environment.

== Preparing the Temporary Installation Environment ==

Before you begin to install Alpine Linux, prepare the temporary environment:

Boot the latest Alpine Linux Installation CD. At the login prompt, use the <code>root</code> user without a password to log in. Now we will follow the [[Setup-alpine]] script and make our changes along the way.

Run the scripts in this order:

<pre># setup-keymap
# setup-hostname
# setup-interfaces
# rc-service networking start</pre>

If you are configuring static networking (you didn't configure any interfaces to use DHCP), run <code>setup-dns</code>.

If you are using Wi-Fi you may need to do run <code>rc-update add wpa_supplicant boot</code>.

<pre># passwd
# setup-timezone
# rc-update add networking boot
# rc-update add urandom boot
# rc-update add acpid default
# rc-service acpid start</pre>

Edit your {{Path|/etc/hosts}} to look like this, replacing <hostname> with your hostname and <domain> with your TLD (if you don't have a TLD, use 'localdomain':
{{Tip|The default text editor in BusyBox is <code>vi</code> (pronounced ''vee-eye'').}}
{{Cat|/etc/hosts|127.0.0.1 <hostname> <hostname>.<domain> localhost localhost.localdomain
::1 <hostname> <hostname>.<domain> localhost localhost.localdomain}}

{{Note|In order to setup GRUB with UEFI, you are required to use the edge branch with the main and community repository. The reason for this is that <code>efibootmgr</code> is not available in the stable branch. If you do not want to switch completely over to edge you can do something called repository pinning. You will need to do this after the <code>setup-apkrepos</code> step.}}

<pre># setup-apkrepos
# apk update
# setup-sshd
# setup-ntp</pre>

Now we will deviate from the install script.

Install the following packages required to set up LVM and LUKS:

{{Note|The <code>parted</code> partition editor is needed for advanced partitioning and GPT disklabels. BusyBox <code>fdisk</code> is a very stripped-down version with minimal functionality}}

<pre># apk add lvm2 cryptsetup e2fsprogs parted</pre>

Optionally, if you want to overwrite your storage with random data first, install <code>haveged</code>, which is a random number generator based on hardware events and has a higher throughput than <code>/dev/urandom</code>:

<pre># apk add haveged
# rc-service haveged start</pre>

== Creating the Partition Layout ==

Depending on your motherboard and bios features and configuration
we can either use partition table in MBR (legacy BIOS)
or GUID Partition Table (GPT).
Here we will describe those two with example layouts.

=== BIOS/MBR with DOS disklabel ===

We will be partitioning the storage device with a non-encrypted <code>/boot</code> partition for use with the Syslinux bootloader. Syslinux is meant for use with legacy BIOS and the MSDOS MBR partition table. Syslinux does support GPT partition tables but GRUB2 is the better option for UEFI (UEFI is only possible with GPT).

<pre>+---------------------------+------------------------+-----------------------+
| Partition name | Partition purpose | Filesystem type |
+---------------------------+------------------------+-----------------------+
| /dev/sda1 | Boot partition | ext4 |
| /dev/sda2 | LUKS container | LUKS |
| |-> /dev/mapper/lvmcrypt | LVM container | LVM |
| |-> /dev/vg01/root | Root partition | ext4 |
| |-> /dev/vg01/swap | Swap partition | swap |
+---------------------------+------------------------+-----------------------+</pre>

{{Warning|This will delete your previous partitioning table and make your data very hard to recover. If you want to dual boot, stop here and ask an expert.}}

Create an approx. 100MB partition to boot off, then assign the rest of the space to your LUKS partition.

<pre># parted -a optimal
(parted) mklabel msdos
(parted) mkpart primary ext4 0% 100M
(parted) name 1 boot
(parted) set 1 boot on
(parted) mkpart primary ext4 100M 100%
(parted) name 2 crypto-luks</pre>

To view your partition table, type <code>print</code> while still in <code>parted</code>. Your results should look something like this:
<pre>(parted) print
Model: ATA TOSHIBA ******** (scsi)
Disk /dev/sda: 1000GB
Sector size (logical/physical): 512B/4096B
Partition Table: msdos
Disk Flags:

Number Start End Size Type File system Flags
1 1049kB 99.6MB 98.6MB primary ext4 boot
2 99.6MB 1000GB 1000GB primary ext4</pre>

=== UEFI with GPT disklabel ===

We will be encrypting the whole disk but the EFI system partition mounted at <code>/boot/efi</code>. This means that GRUB2 will decrypt the LUKS volume and load the kernel from there, preventing someone with physical access to your computer from maliciously installing a rootkit (or bootkit) in your boot partition while your computer is not already unlocked. The partitioning scheme will look like this:

<pre>+---------------------------+------------------------+-----------------------+
| Partition name | Partition purpose | Filesystem type |
+---------------------------+------------------------+-----------------------+
| /dev/sda1 | EFI system partition | fat32 |
| /dev/sda2 | LUKS container | LUKS |
| |-> /dev/mapper/lvmcrypt | LVM container | LVM |
| |-> /dev/vg01/root | Root partition | ext4 |
| |-> /dev/vg01/boot | Boot partition | ext4 |
| |-> /dev/vg01/swap | Swap partition | swap |
+---------------------------+------------------------+-----------------------+</pre>

{{Warning|This will delete your previous partitioning table and make your data very hard to recover. If you want to dual boot, stop here and ask an expert.}}

Create an approx. 200MB EFI system partition, then assign the rest of the space to your LUKS partition.

<pre># parted -a optimal
(parted) mklabel gpt
(parted) mkpart primary fat32 0% 200M
(parted) name 1 esp
(parted) set 1 esp on
(parted) mkpart primary ext4 200M 100%
(parted) name 2 crypto-luks</pre>

== Optional: Overwrite LUKS Partition with Random Data ==

This should be done if your hard drive wasn't encrypted previously. It helps purge old, non-encrypted data and makes it harder for an attacker to work out how much data you have on your drive if they have access to the encrypted contents.

We will be using <code>haveged</code> as it is considerably faster than <code>/dev/urandom</code> when generating pseudo-random numbers (it's almost as high as <code>/dev/zero</code> in throughput), and is (supposedly) very close to truly random.

<pre># haveged -n 0 | dd of=/dev/sda2</pre>

== Encrypting the LVM Physical Volume Partition ==

To encrypt the partition which will later contain the LVM PV, you could either use the default settings (aes-xts-plain64 cipher with 256-bit key and Argon2 hashing with iter-time 2000ms), or you could use these settings which have added security with the trade-off being a non-noticeable decrease in performance in modern computers:

Default settings:

<pre># cryptsetup luksFormat /dev/sda2</pre>

Optimized for security:

<pre># cryptsetup -v -c serpent-xts-plain64 -s 512 --hash whirlpool --iter-time 5000 --use-random luksFormat /dev/sda2</pre>

If using at least Alpine v3.11 and GRUB2 with encrypted /boot, the following should be used instead (because GRUB2 does not yet support LUKS2 containers):

<pre># cryptsetup luksFormat --type luks1 /dev/sda2</pre>

== Creating the Logical Volumes and File Systems ==

Open the LUKS partition:

<pre># cryptsetup luksOpen /dev/sda2 lvmcrypt</pre>

Create the PV on <code>lvmcrypt</code>:

<pre># pvcreate /dev/mapper/lvmcrypt</pre>

Create the <code>vg0</code> LVM VG in the <code>/dev/mapper/lvmcrypt</code> PV:

<pre># vgcreate vg0 /dev/mapper/lvmcrypt</pre>

=== LV Creation for BIOS/MBR ===

This will create a 2GB swap partition and a root partition which takes up the rest of the space. This setup is for those who do not need to use the hibernate/suspend to disk state. If you do need to suspend to disk, create a swap partition slightly larger than the size of your RAM (change the size after <code># lvcreate -L</code>).

<pre># lvcreate -L 2G vg0 -n swap
# lvcreate -l 100%FREE vg0 -n root</pre>

The LVs created in the previous steps are automatically marked active. To verify, enter:

<pre># lvscan</pre>

=== LV Creation for UEFI/GPT ===

This will create a 2GB swap partition, a 2GB boot partition and a root partition which takes up the rest of the space. This setup is for those who do not need to use the hibernate/suspend to disk state. If you do need to suspend to disk, create a swap partition slightly larger than the size of your RAM (change the size after <code># lvcreate -L</code>).

<pre># lvcreate -L 2G vg0 -n swap
# lvcreate -L 2G vg0 -n boot
# lvcreate -l 100%FREE vg0 -n root</pre>

The LVs created in the previous steps are automatically marked active. To verify, enter:

<pre># lvscan</pre>

== Creating and Mounting the File Systems ==

Format the <code>root</code> and <code>boot</code> LVs using the ext4 file system:

<pre># mkfs.ext4 /dev/vg0/root</pre>

Format the swap LV:

<pre># mkswap /dev/vg0/swap</pre>

Before you can install Alpine Linux, you must mount the partitions and LVs. Mount the root LV to the <code>/mnt/</code> directory:

<pre># mount -t ext4 /dev/vg0/root /mnt/</pre>

Next format your boot partition, create a mount point and mount it:

* If you're using BIOS and MBR:

<pre># mkfs.ext4 /dev/sda1
# mkdir -v /mnt/boot
# mount -t ext4 /dev/sda1 /mnt/boot</pre>

* If you're using UEFI and GPT:

<pre># apk add dosfstools
# mkfs.fat -F32 /dev/sda1
# mkfs.ext4 /dev/vg0/boot
# mkdir -v /mnt/boot
# mount -t ext4 /dev/vg0/boot /mnt/boot
# mkdir -v /mnt/boot/efi
# mount -t vfat /dev/sda1 /mnt/boot/efi</pre>

Lastly, activate your swap partition:

<pre># swapon /dev/vg0/swap</pre>

== Installing Alpine Linux ==

In this step you will install Alpine Linux in the <code>/mnt/</code> directory, which contains the mounted file system structure:

<pre># setup-disk -m sys /mnt/</pre>

The installer downloads the latest packages to install the base installation. Additionally, the installer automatically creates the entries for the mount points in {{Path|/etc/fstab}} file, which is currently mounted in the <code>/mnt/</code> directory.

{{Note|The automatic writing of the master boot record (MBR) fails in this step. You will write the MBR later manually to the disk.}}

The swap LV is not automatically added to the <code>fstab</code> file. To add it manually, add the following line to the {{Path|/mnt/etc/fstab}} file:

<pre>/dev/vg0/swap swap swap defaults 0 0</pre>

Edit the {{Path|/mnt/etc/mkinitfs/mkinitfs.conf}} file and append the <code>cryptsetup</code> module to the <code>features</code> parameter:

<pre>features="... cryptsetup"</pre>

If you are using GRUB with an encrypted <code>/boot</code> you must add the <code>cryptkey</code> feature so that Alpine can use a keyfile for decryption on boot.

{{Note|Alpine Linux uses the <code>en-us</code> keyboard mapping by default when prompting for the password to decrypt the partition at boot time. If you changed the keyboard mapping in the temporary environment and want to use it at the boot password prompt, be sure to also add the <code>keymap</code> feature to the list above.}}

{{Note|Check the output of <code>mkinitfs -L</code> and add the features necessary for your system to boot. You may need to add <code>kms</code> in order to see a password prompt at boot. You may also need: <code>usb</code>, <code>lvm</code>, <code>ext4</code>...}}

Rebuild the initial RAM disk:

<pre># mkinitfs -c /mnt/etc/mkinitfs/mkinitfs.conf -b /mnt/ $(ls /mnt/lib/modules/)</pre>

The command uses the settings from the <code>mkinitfs.conf</code> file set in the <code>-c</code> parameter to generate the RAM disk. The command is executed in the <code>/mnt/</code> directory and the RAM disk is generated using the modules for the installed kernel. Without setting the kernel version using the <code>$(ls /mnt/lib/modules/</code>) option, <code>mkinitfs</code> tries to generate the RAM disk using the kernel version installed in the temporary environment, which can differ from the latest one installed by the <code>setup-disk</code> utility.

== Installing a bootloader ==

To get the UUID of your storage device into a file for later use, use this command:

<pre># blkid -s UUID -o value /dev/sda2 > ~/uuid</pre>

{{Tip|To easily read the UUID into a file so you don't have to type it manually, open the file in <code>vi</code>, then type <code>:r /root/uuid</code> to load the UUID onto a new line.}}

=== Syslinux with BIOS ===

Install the Syslinux package:

<pre># apk add syslinux</pre>

Edit {{Path|/mnt/etc/update-extlinux.conf}} and append the following kernel options to the <code>default_kernel_opts</code> parameter, replacing <UUID> with the UUID of <code>/dev/sda2</code>:

<pre>default_kernel_opts="... cryptroot=UUID=<UUID of sda2> cryptdm=lvmcrypt"</pre>

The <code>cryptroot</code> parameter sets the ID of the device/partition that contains encrypted volumes, and the <code>cryptdm</code> parameter uses the name of the mapping we have already configured a few lines above.

We can also double check if <code>modules</code> and <code>root</code> are set correctly, eg:
<pre>
modules=sd-mod,usb-storage,ext4,cryptsetup,keymap,cryptkey,kms,lvm
root=UUID=<UUID of /dev/mapper/vg0-root>
</pre>

Because the <code>update-extlinux</code> utility operates only on the <code>/boot/</code> directory, temporarily change the root to the <code>/mnt/</code> directory and update the boot loader configuration:

<pre># chroot /mnt/
# update-extlinux
# exit</pre>

: Because we didn't mount <code>/dev</code> nor <code>/proc</code> inside our <code>/mnt/</code> chroot, some errors may occur when we run <code>update-extlinux</code> command. But you can most likely ignore these.

Write the MBR (without partition table) to the <code>/dev/sda</code> device:

<pre># dd bs=440 count=1 conv=notrunc if=/mnt/usr/share/syslinux/mbr.bin of=/dev/sda</pre>

=== Grub with UEFI ===

To avoid having to type your decryption password twice every boot (once for GRUB and once for Alpine), add a keyfile to your LUKS partition. The filename is important.

<pre># dd bs=512 count=4 if=/dev/urandom of=/mnt/crypto_keyfile.bin
# cryptsetup luksAddKey /dev/sda2 /mnt/crypto_keyfile.bin
</pre>

This keyfile is stored encrypted at rest (it is in your LUKS partition), so it's existence does not reduce the security of the system.

Mount the required filesystems for the Grub EFI installer to the installation:

<pre># mount -t proc /proc /mnt/proc
# mount --rbind /dev /mnt/dev
# mount --make-rslave /mnt/dev
# mount --rbind /sys /mnt/sys</pre>

Then chroot in and use <code>grub-install</code> to install Grub.

<pre># chroot /mnt
# source /etc/profile
# export PS1="(chroot) $PS1"</pre>

Install <code>GRUB2</code> for EFI and (optionally) remove syslinux:

<pre># apk add grub grub-efi efibootmgr
# apk del syslinux</pre>

Edit {{Path|/etc/default/grub}} and add the following kernel options to the <code>GRUB_CMDLINE_LINUX_DEFAULT</code> parameter, replacing <UUID> with the UUID of the encrypted partition (in this case, <code>/dev/sda2</code>):

<pre>cryptroot=UUID=<UUID> cryptdm=lvmcrypt cryptkey</pre>

The <code>cryptroot</code> parameter sets the ID of the device/partition that contains encrypted volumes, and the <code>cryptdm</code> parameter uses the name of the mapping we have already configured a few lines above.
The <code>cryptkey</code> parameter indicates the existence of the file <code>/crypto_keyfile.bin</code> you created previously.

To enable GRUB to decrypt LUKS partitions and read LVM volumes add:

<pre>GRUB_PRELOAD_MODULES="luks cryptodisk part_gpt lvm"</pre>

If using at least Alpine v3.11, <code>GRUB_ENABLE_CRYPTODISK=y</code> should also be added to {{Path|/etc/default/grub}}.

<pre># (chroot) grub-install --target=x86_64-efi --efi-directory=/boot/efi
# (chroot) grub-mkconfig -o /boot/grub/grub.cfg
# (chroot) exit</pre>

== Unmounting the Volumes and Partitions ==

Unmount the <code>/mnt/</code> partitions, deactivate the LVM volumes, close the LUKS partition and reboot:

<pre># cd
# umount -l /mnt/dev
# umount -l /mnt/proc
# umount -l /mnt/sys
# umount /mnt/boot/efi
# umount /mnt/boot
# swapoff /dev/vg0/swap
# umount /mnt
# vgchange -a n
# cryptsetup luksClose lvmcrypt
# reboot</pre>

= Troubleshooting =

== General Procedure ==

In case your system fails to boot, you can verify the settings and fix incorrect configurations.

Reboot and do the steps in [[#Preparing_the_Temporary_Installation_Environment|Prepare the temporary installation environment]] again.

Setup the LUKS partition and activate the LVs:

<pre># cryptsetup luksOpen /dev/sda2
# vgchange -ay</pre>

[[#Creating_and_Mounting_the_File Systems|Mount the file systems]]

Verify that you run the steps described in the [[#Installing_Alpine_Linux|Installing Alpine Linux]] section correctly. Update the configuration if necessary, unmount the partitions, then reboot.

== System can't find boot device ==

* GPT partition table on a motherboard that runs BIOS instead of UEFI
* running an MSDOS/MBR/Syslinux install without enabling legacy boot mode in the UEFI settings

== I see "can not mount /sysroot" during boot ==

* incorrect device UUID
* missing module in <code>/mnt/etc/update-extlinux.conf</code> or <code>/mnt/etc/mkinitfs/mkinitfs.conf</code>

== Secure boot ==

If secure boot complains of an unsigned bootloader, you can either disable it or adapt [https://wiki.archlinux.org/index.php/Secure_Boot this] guide to sign GRUB. If you're using Syslinux, then secure boot should be automatically disabled when you enable legacy boot mode.

= Hardening =

* To harden, you should disable DMA[https://old.iseclab.org/papers/acsac2012dma.pdf] and install a hardened version of AES (TRESOR[https://www1.informatik.uni-erlangen.de/tresor] or Loop-Amnesia[http://moongate.ydns.eu/amnesia.html]) since by default cryptsetup with luks uses AES by default.
* Disable DMA in the BIOS and set the password for the BIOS according to Wikipedia.[https://en.wikipedia.org/wiki/DMA_attack]
* Blacklist kernel modules that use DMA and any unused expansion modules (FireWire, CardBus, ExpressCard, Thunderbolt, USB 3.0, PCI Express and hotplug modules) that use DMA.

= Mounting additional encrypted filesystems at boot =

If you would like other encrypted LUKS partitions to be decrypted and mounted automatically during boot, for example if you have <code>/home</code> on a separate physical drive, some extra steps are required. For the purposes of these instructions we will say <code>/dev/sdb1</code> contains an LVM volume that should be mounted at <code>/home</code>.

Create a keyfile and add it to the LUKS partition:

<pre># dd bs=512 count=4 if=/dev/urandom of=/root/crypt-home-keyfile.bin
# cryptsetup luksAddKey /dev/sdb1 /root/crypt-home-keyfile.bin
</pre>

Alpine, like Gentoo, uses the <code>dmcrypt</code> service rather than <code>/etc/crypttab</code>. Add the following lines to <code>/etc/conf.d/dmcrypt</code>:

<pre>target=crypt-home
source='/dev/sdb1'
key='/root/crypt-home-keyfile.bin'
</pre>

Add an entry to <code>/etc/fstab</code>, changing <code>vg1</code> to the name of your LVM volume group:

<pre>/dev/vg1/home /home ext4 rw,relatime 0 2</pre>

Enable the dmcrypt and lvm services to start on boot:

<pre># rc-update add dmcrypt boot
# rc-update add lvm boot
</pre>

After a reboot the partition should be decrypted and mounted automatically.

= See also =
*[[Bootloaders]]
*[[Alpine setup scripts]]
*[[Installing on GPT LVM]]
*[[Setting up LVM on GPT-labeled disks]]
*[[Setting up disks manually]]
*https://wiki.gentoo.org/wiki/Syslinux
*https://wiki.gentoo.org/wiki/GRUB2
*https://wiki.archlinux.org/index.php/Syslinux
*https://wiki.archlinux.org/index.php/GRUB
*https://wiki.gentoo.org/wiki/Sakaki's_EFI_Install_Guide
*https://battlepenguin.com/tech/alpine-linux-with-full-disk-encryption/
*https://wiki.gentoo.org/wiki/Dm-crypt

[[Category:Storage]]
[[Category:Security]]

LVM on LUKS

2021-01-15T21:26:09Z

Pawciobiel: Update info about cryptroot and UUID in GPT with GRUB

= Introduction =

This documentation describes how to set up Alpine Linux on a fully encrypted disk (apart from the bootloader's partition). We will have an LVM container installed inside an encrypted partition. To encrypt the partition containing the LVM volume group, dm-crypt (which is managed by the <code>cryptsetup</code> command) and its LUKS subsystem is used.

Note that your <code>/boot/</code> partition must be non-encrypted to work with Syslinux. When using GRUB2 it is possible to boot from an encrypted partition to provide a layer of protection from [https://en.wikipedia.org/wiki/Evil_maid_attack Evil Maid attacks], but Syslinux doesn't support this.

== Storage Device Name ==

To find your storage device's name, you could either install <code>util-linux</code> (<code>apk add util-linux</code>) and find your device using the <code>lspci</code> command, or you could make an educated guess by using BusyBox's <code>blkid</code> and <code>df</code> commands, and running <code>ls /dev/sd*</code> if you are installing to a USB, SATA or SCSI device, <code>ls /dev/fd*</code> for floppy disks and <code>ls /dev/hd*</code> for IDE (PATA) devices.

The following documentation uses the <code>/dev/sda</code> device as installation destination. If your environment uses a different device name for your storage device, use the corresponding device names in the examples.

= Setting up Alpine Linux Using LVM on Top of a LUKS Partition =

To install Alpine Linux in logical volumes running on top of a LUKS encrypted partition, you cannot use the [[Installation|official installation]] procedure. The installation requires several manual steps you must run in the Alpine Linux Live CD environment.

== Preparing the Temporary Installation Environment ==

Before you begin to install Alpine Linux, prepare the temporary environment:

Boot the latest Alpine Linux Installation CD. At the login prompt, use the <code>root</code> user without a password to log in. Now we will follow the [[Setup-alpine]] script and make our changes along the way.

Run the scripts in this order:

<pre># setup-keymap
# setup-hostname
# setup-interfaces
# rc-service networking start</pre>

If you are configuring static networking (you didn't configure any interfaces to use DHCP), run <code>setup-dns</code>.

If you are using Wi-Fi you may need to do run <code>rc-update add wpa_supplicant boot</code>.

<pre># passwd
# setup-timezone
# rc-update add networking boot
# rc-update add urandom boot
# rc-update add acpid default
# rc-service acpid start</pre>

Edit your {{Path|/etc/hosts}} to look like this, replacing <hostname> with your hostname and <domain> with your TLD (if you don't have a TLD, use 'localdomain':
{{Tip|The default text editor in BusyBox is <code>vi</code> (pronounced ''vee-eye'').}}
{{Cat|/etc/hosts|127.0.0.1 <hostname> <hostname>.<domain> localhost localhost.localdomain
::1 <hostname> <hostname>.<domain> localhost localhost.localdomain}}

{{Note|In order to setup GRUB with UEFI, you are required to use the edge branch with the main and community repository. The reason for this is that <code>efibootmgr</code> is not available in the stable branch. If you do not want to switch completely over to edge you can do something called repository pinning. You will need to do this after the <code>setup-apkrepos</code> step.}}

<pre># setup-apkrepos
# apk update
# setup-sshd
# setup-ntp</pre>

Now we will deviate from the install script.

Install the following packages required to set up LVM and LUKS:

{{Note|The <code>parted</code> partition editor is needed for advanced partitioning and GPT disklabels. BusyBox <code>fdisk</code> is a very stripped-down version with minimal functionality}}

<pre># apk add lvm2 cryptsetup e2fsprogs parted</pre>

Optionally, if you want to overwrite your storage with random data first, install <code>haveged</code>, which is a random number generator based on hardware events and has a higher throughput than <code>/dev/urandom</code>:

<pre># apk add haveged
# rc-service haveged start</pre>

== Creating the Partition Layout ==

Depending on your motherboard and bios features and configuration
we can either use partition table in MBR (legacy BIOS)
or GUID Partition Table (GPT).
Here we will describe those two with example layouts.

=== BIOS/MBR with DOS disklabel ===

We will be partitioning the storage device with a non-encrypted <code>/boot</code> partition for use with the Syslinux bootloader. Syslinux is meant for use with legacy BIOS and the MSDOS MBR partition table. Syslinux does support GPT partition tables but GRUB2 is the better option for UEFI (UEFI is only possible with GPT).

<pre>+---------------------------+------------------------+-----------------------+
| Partition name | Partition purpose | Filesystem type |
+---------------------------+------------------------+-----------------------+
| /dev/sda1 | Boot partition | ext4 |
| /dev/sda2 | LUKS container | LUKS |
| |-> /dev/mapper/lvmcrypt | LVM container | LVM |
| |-> /dev/vg01/root | Root partition | ext4 |
| |-> /dev/vg01/swap | Swap partition | swap |
+---------------------------+------------------------+-----------------------+</pre>

{{Warning|This will delete your previous partitioning table and make your data very hard to recover. If you want to dual boot, stop here and ask an expert.}}

Create an approx. 100MB partition to boot off, then assign the rest of the space to your LUKS partition.

<pre># parted -a optimal
(parted) mklabel msdos
(parted) mkpart primary ext4 0% 100M
(parted) name 1 boot
(parted) set 1 boot on
(parted) mkpart primary ext4 100M 100%
(parted) name 2 crypto-luks</pre>

To view your partition table, type <code>print</code> while still in <code>parted</code>. Your results should look something like this:
<pre>(parted) print
Model: ATA TOSHIBA ******** (scsi)
Disk /dev/sda: 1000GB
Sector size (logical/physical): 512B/4096B
Partition Table: msdos
Disk Flags:

Number Start End Size Type File system Flags
1 1049kB 99.6MB 98.6MB primary ext4 boot
2 99.6MB 1000GB 1000GB primary ext4</pre>

=== UEFI with GPT disklabel ===

We will be encrypting the whole disk but the EFI system partition mounted at <code>/boot/efi</code>. This means that GRUB2 will decrypt the LUKS volume and load the kernel from there, preventing someone with physical access to your computer from maliciously installing a rootkit (or bootkit) in your boot partition while your computer is not already unlocked. The partitioning scheme will look like this:

<pre>+---------------------------+------------------------+-----------------------+
| Partition name | Partition purpose | Filesystem type |
+---------------------------+------------------------+-----------------------+
| /dev/sda1 | EFI system partition | fat32 |
| /dev/sda2 | LUKS container | LUKS |
| |-> /dev/mapper/lvmcrypt | LVM container | LVM |
| |-> /dev/vg01/root | Root partition | ext4 |
| |-> /dev/vg01/boot | Boot partition | ext4 |
| |-> /dev/vg01/swap | Swap partition | swap |
+---------------------------+------------------------+-----------------------+</pre>

{{Warning|This will delete your previous partitioning table and make your data very hard to recover. If you want to dual boot, stop here and ask an expert.}}

Create an approx. 200MB EFI system partition, then assign the rest of the space to your LUKS partition.

<pre># parted -a optimal
(parted) mklabel gpt
(parted) mkpart primary fat32 0% 200M
(parted) name 1 esp
(parted) set 1 esp on
(parted) mkpart primary ext4 200M 100%
(parted) name 2 crypto-luks</pre>

== Optional: Overwrite LUKS Partition with Random Data ==

This should be done if your hard drive wasn't encrypted previously. It helps purge old, non-encrypted data and makes it harder for an attacker to work out how much data you have on your drive if they have access to the encrypted contents.

We will be using <code>haveged</code> as it is considerably faster than <code>/dev/urandom</code> when generating pseudo-random numbers (it's almost as high as <code>/dev/zero</code> in throughput), and is (supposedly) very close to truly random.

<pre># haveged -n 0 | dd of=/dev/sda2</pre>

== Encrypting the LVM Physical Volume Partition ==

To encrypt the partition which will later contain the LVM PV, you could either use the default settings (aes-xts-plain64 cipher with 256-bit key and Argon2 hashing with iter-time 2000ms), or you could use these settings which have added security with the trade-off being a non-noticeable decrease in performance in modern computers:

Default settings:

<pre># cryptsetup luksFormat /dev/sda2</pre>

Optimized for security:

<pre># cryptsetup -v -c serpent-xts-plain64 -s 512 --hash whirlpool --iter-time 5000 --use-random luksFormat /dev/sda2</pre>

If using at least Alpine v3.11 and GRUB2 with encrypted /boot, the following should be used instead (because GRUB2 does not yet support LUKS2 containers):

<pre># cryptsetup luksFormat --type luks1 /dev/sda2</pre>

== Creating the Logical Volumes and File Systems ==

Open the LUKS partition:

<pre># cryptsetup luksOpen /dev/sda2 lvmcrypt</pre>

Create the PV on <code>lvmcrypt</code>:

<pre># pvcreate /dev/mapper/lvmcrypt</pre>

Create the <code>vg0</code> LVM VG in the <code>/dev/mapper/lvmcrypt</code> PV:

<pre># vgcreate vg0 /dev/mapper/lvmcrypt</pre>

=== LV Creation for BIOS/MBR ===

This will create a 2GB swap partition and a root partition which takes up the rest of the space. This setup is for those who do not need to use the hibernate/suspend to disk state. If you do need to suspend to disk, create a swap partition slightly larger than the size of your RAM (change the size after <code># lvcreate -L</code>).

<pre># lvcreate -L 2G vg0 -n swap
# lvcreate -l 100%FREE vg0 -n root</pre>

The LVs created in the previous steps are automatically marked active. To verify, enter:

<pre># lvscan</pre>

=== LV Creation for UEFI/GPT ===

This will create a 2GB swap partition, a 2GB boot partition and a root partition which takes up the rest of the space. This setup is for those who do not need to use the hibernate/suspend to disk state. If you do need to suspend to disk, create a swap partition slightly larger than the size of your RAM (change the size after <code># lvcreate -L</code>).

<pre># lvcreate -L 2G vg0 -n swap
# lvcreate -L 2G vg0 -n boot
# lvcreate -l 100%FREE vg0 -n root</pre>

The LVs created in the previous steps are automatically marked active. To verify, enter:

<pre># lvscan</pre>

== Creating and Mounting the File Systems ==

Format the <code>root</code> and <code>boot</code> LVs using the ext4 file system:

<pre># mkfs.ext4 /dev/vg0/root</pre>

Format the swap LV:

<pre># mkswap /dev/vg0/swap</pre>

Before you can install Alpine Linux, you must mount the partitions and LVs. Mount the root LV to the <code>/mnt/</code> directory:

<pre># mount -t ext4 /dev/vg0/root /mnt/</pre>

Next format your boot partition, create a mount point and mount it:

* If you're using BIOS and MBR:

<pre># mkfs.ext4 /dev/sda1
# mkdir -v /mnt/boot
# mount -t ext4 /dev/sda1 /mnt/boot</pre>

* If you're using UEFI and GPT:

<pre># apk add dosfstools
# mkfs.fat -F32 /dev/sda1
# mkfs.ext4 /dev/vg0/boot
# mkdir -v /mnt/boot
# mount -t ext4 /dev/vg0/boot /mnt/boot
# mkdir -v /mnt/boot/efi
# mount -t vfat /dev/sda1 /mnt/boot/efi</pre>

Lastly, activate your swap partition:

<pre># swapon /dev/vg0/swap</pre>

== Installing Alpine Linux ==

In this step you will install Alpine Linux in the <code>/mnt/</code> directory, which contains the mounted file system structure:

<pre># setup-disk -m sys /mnt/</pre>

The installer downloads the latest packages to install the base installation. Additionally, the installer automatically creates the entries for the mount points in {{Path|/etc/fstab}} file, which is currently mounted in the <code>/mnt/</code> directory.

{{Note|The automatic writing of the master boot record (MBR) fails in this step. You will write the MBR later manually to the disk.}}

The swap LV is not automatically added to the <code>fstab</code> file. To add it manually, add the following line to the {{Path|/mnt/etc/fstab}} file:

<pre>/dev/vg0/swap swap swap defaults 0 0</pre>

Edit the {{Path|/mnt/etc/mkinitfs/mkinitfs.conf}} file and append the <code>cryptsetup</code> module to the <code>features</code> parameter:

<pre>features="... cryptsetup"</pre>

If you are using GRUB with an encrypted <code>/boot</code> you must add the <code>cryptkey</code> feature so that Alpine can use a keyfile for decryption on boot.

{{Note|Alpine Linux uses the <code>en-us</code> keyboard mapping by default when prompting for the password to decrypt the partition at boot time. If you changed the keyboard mapping in the temporary environment and want to use it at the boot password prompt, be sure to also add the <code>keymap</code> feature to the list above.}}

{{Note|Check the output of <code>mkinitfs -L</code> and add the features necessary for your system to boot. You may need to add <code>kms</code> in order to see a password prompt at boot. You may also need: <code>usb</code>, <code>lvm</code>, <code>ext4</code>...}}

Rebuild the initial RAM disk:

<pre># mkinitfs -c /mnt/etc/mkinitfs/mkinitfs.conf -b /mnt/ $(ls /mnt/lib/modules/)</pre>

The command uses the settings from the <code>mkinitfs.conf</code> file set in the <code>-c</code> parameter to generate the RAM disk. The command is executed in the <code>/mnt/</code> directory and the RAM disk is generated using the modules for the installed kernel. Without setting the kernel version using the <code>$(ls /mnt/lib/modules/</code>) option, <code>mkinitfs</code> tries to generate the RAM disk using the kernel version installed in the temporary environment, which can differ from the latest one installed by the <code>setup-disk</code> utility.

== Installing a bootloader ==

To get the UUID of your storage device into a file for later use, use this command:

<pre># blkid -s UUID -o value /dev/sda2 > ~/uuid</pre>

{{Tip|To easily read the UUID into a file so you don't have to type it manually, open the file in <code>vi</code>, then type <code>:r /root/uuid</code> to load the UUID onto a new line.}}

=== Syslinux with BIOS ===

Install the Syslinux package:

<pre># apk add syslinux</pre>

Edit {{Path|/mnt/etc/update-extlinux.conf}} and append the following kernel options to the <code>default_kernel_opts</code> parameter, replacing <UUID> with the UUID of <code>/dev/sda2</code>:

<pre>default_kernel_opts="... cryptroot=UUID=<UUID of sda2> cryptdm=lvmcrypt"</pre>

The <code>cryptroot</code> parameter sets the ID of the device/partition that contains encrypted volumes, and the <code>cryptdm</code> parameter uses the name of the mapping we have already configured a few lines above.

We can also double check if <code>modules</code> and <code>root</code> are set correctly, eg:
<pre>
modules=sd-mod,usb-storage,ext4,cryptsetup,keymap,cryptkey,kms,lvm
root=UUID=<UUID of /dev/mapper/vg0-root>
</pre>

Because the <code>update-extlinux</code> utility operates only on the <code>/boot/</code> directory, temporarily change the root to the <code>/mnt/</code> directory and update the boot loader configuration:

<pre># chroot /mnt/
# update-extlinux
# exit</pre>

: Because we didn't mount <code>/dev</code> nor <code>/proc</code> inside our <code>/mnt/</code> chroot, some errors may occur when we run <code>update-extlinux</code> command. But you can most likely ignore these.

Write the MBR (without partition table) to the <code>/dev/sda</code> device:

<pre># dd bs=440 count=1 conv=notrunc if=/mnt/usr/share/syslinux/mbr.bin of=/dev/sda</pre>

=== Grub with UEFI ===

To avoid having to type your decryption password twice every boot (once for GRUB and once for Alpine), add a keyfile to your LUKS partition. The filename is important.

<pre># dd bs=512 count=4 if=/dev/urandom of=/mnt/crypto_keyfile.bin
# cryptsetup luksAddKey /dev/sda2 /mnt/crypto_keyfile.bin
</pre>

This keyfile is stored encrypted at rest (it is in your LUKS partition), so it's existence does not reduce the security of the system.

Mount the required filesystems for the Grub EFI installer to the installation:

<pre># mount -t proc /proc /mnt/proc
# mount --rbind /dev /mnt/dev
# mount --make-rslave /mnt/dev
# mount --rbind /sys /mnt/sys</pre>

Then chroot in and use <code>grub-install</code> to install Grub.

<pre># chroot /mnt
# source /etc/profile
# export PS1="(chroot) $PS1"</pre>

Install <code>GRUB2</code> for EFI and (optionally) remove syslinux:

<pre># apk add grub grub-efi efibootmgr
# apk del syslinux</pre>

Edit {{Path|/etc/default/grub}} and add the following kernel options to the <code>GRUB_CMDLINE_LINUX_DEFAULT</code> parameter, replacing <UUID> with the UUID of the encrypted partition (in this case, <code>/dev/sda2</code>):

<pre>cryptroot=UUID=<UUID> cryptdm=lvmcrypt cryptkey</pre>

The <code>cryptroot</code> parameter sets the ID of the device/partition that contains encrypted volumes, and the <code>cryptdm</code> parameter uses the name of the mapping we have already configured a few lines above.
The <code>cryptkey</code> parameter indicates the existence of the file <code>/crypto_keyfile.bin</code> you created previously.

To enable GRUB to decrypt LUKS partitions and read LVM volumes add:

<pre>GRUB_PRELOAD_MODULES="luks cryptodisk part_gpt lvm"</pre>

If using at least Alpine v3.11, <code>GRUB_ENABLE_CRYPTODISK=y</code> should also be added to {{Path|/etc/default/grub}}.

<pre># (chroot) grub-install --target=x86_64-efi --efi-directory=/boot/efi
# (chroot) grub-mkconfig -o /boot/grub/grub.cfg
# (chroot) exit</pre>

== Unmounting the Volumes and Partitions ==

Unmount the <code>/mnt/</code> partitions, deactivate the LVM volumes, close the LUKS partition and reboot:

<pre># cd
# umount -l /mnt/dev
# umount -l /mnt/proc
# umount -l /mnt/sys
# umount /mnt/boot/efi
# umount /mnt/boot
# swapoff /dev/vg0/swap
# umount /mnt
# vgchange -a n
# cryptsetup luksClose lvmcrypt
# reboot</pre>

= Troubleshooting =

== General Procedure ==

In case your system fails to boot, you can verify the settings and fix incorrect configurations.

Reboot and do the steps in [[#Preparing_the_Temporary_Installation_Environment|Prepare the temporary installation environment]] again.

Setup the LUKS partition and activate the LVs:

<pre># cryptsetup luksOpen /dev/sda2
# vgchange -ay</pre>

[[#Creating_and_Mounting_the_File Systems|Mount the file systems]]

Verify that you run the steps described in the [[#Installing_Alpine_Linux|Installing Alpine Linux]] section correctly. Update the configuration if necessary, unmount the partitions, then reboot.

== System can't find boot device ==

This can be because you are using a GPT partition table on a motherboard that runs BIOS instead of UEFI, or you are running an MSDOS/MBR/Syslinux install without enabling legacy boot mode in the UEFI settings.

== Secure boot ==

If secure boot complains of an unsigned bootloader, you can either disable it or adapt [https://wiki.archlinux.org/index.php/Secure_Boot this] guide to sign GRUB. If you're using Syslinux, then secure boot should be automatically disabled when you enable legacy boot mode.

= Hardening =

* To harden, you should disable DMA[https://old.iseclab.org/papers/acsac2012dma.pdf] and install a hardened version of AES (TRESOR[https://www1.informatik.uni-erlangen.de/tresor] or Loop-Amnesia[http://moongate.ydns.eu/amnesia.html]) since by default cryptsetup with luks uses AES by default.
* Disable DMA in the BIOS and set the password for the BIOS according to Wikipedia.[https://en.wikipedia.org/wiki/DMA_attack]
* Blacklist kernel modules that use DMA and any unused expansion modules (FireWire, CardBus, ExpressCard, Thunderbolt, USB 3.0, PCI Express and hotplug modules) that use DMA.

= Mounting additional encrypted filesystems at boot =

If you would like other encrypted LUKS partitions to be decrypted and mounted automatically during boot, for example if you have <code>/home</code> on a separate physical drive, some extra steps are required. For the purposes of these instructions we will say <code>/dev/sdb1</code> contains an LVM volume that should be mounted at <code>/home</code>.

Create a keyfile and add it to the LUKS partition:

<pre># dd bs=512 count=4 if=/dev/urandom of=/root/crypt-home-keyfile.bin
# cryptsetup luksAddKey /dev/sdb1 /root/crypt-home-keyfile.bin
</pre>

Alpine, like Gentoo, uses the <code>dmcrypt</code> service rather than <code>/etc/crypttab</code>. Add the following lines to <code>/etc/conf.d/dmcrypt</code>:

<pre>target=crypt-home
source='/dev/sdb1'
key='/root/crypt-home-keyfile.bin'
</pre>

Add an entry to <code>/etc/fstab</code>, changing <code>vg1</code> to the name of your LVM volume group:

<pre>/dev/vg1/home /home ext4 rw,relatime 0 2</pre>

Enable the dmcrypt and lvm services to start on boot:

<pre># rc-update add dmcrypt boot
# rc-update add lvm boot
</pre>

After a reboot the partition should be decrypted and mounted automatically.

= See also =
*[[Bootloaders]]
*[[Alpine setup scripts]]
*[[Installing on GPT LVM]]
*[[Setting up LVM on GPT-labeled disks]]
*[[Setting up disks manually]]
*https://wiki.gentoo.org/wiki/Syslinux
*https://wiki.gentoo.org/wiki/GRUB2
*https://wiki.archlinux.org/index.php/Syslinux
*https://wiki.archlinux.org/index.php/GRUB
*https://wiki.gentoo.org/wiki/Sakaki's_EFI_Install_Guide
*https://battlepenguin.com/tech/alpine-linux-with-full-disk-encryption/
*https://wiki.gentoo.org/wiki/Dm-crypt

[[Category:Storage]]
[[Category:Security]]

LVM on LUKS

2021-01-15T21:19:05Z

Pawciobiel: Expand info about syslinux package and devs UUIDs

= Introduction =

This documentation describes how to set up Alpine Linux on a fully encrypted disk (apart from the bootloader's partition). We will have an LVM container installed inside an encrypted partition. To encrypt the partition containing the LVM volume group, dm-crypt (which is managed by the <code>cryptsetup</code> command) and its LUKS subsystem is used.

Note that your <code>/boot/</code> partition must be non-encrypted to work with Syslinux. When using GRUB2 it is possible to boot from an encrypted partition to provide a layer of protection from [https://en.wikipedia.org/wiki/Evil_maid_attack Evil Maid attacks], but Syslinux doesn't support this.

== Storage Device Name ==

To find your storage device's name, you could either install <code>util-linux</code> (<code>apk add util-linux</code>) and find your device using the <code>lspci</code> command, or you could make an educated guess by using BusyBox's <code>blkid</code> and <code>df</code> commands, and running <code>ls /dev/sd*</code> if you are installing to a USB, SATA or SCSI device, <code>ls /dev/fd*</code> for floppy disks and <code>ls /dev/hd*</code> for IDE (PATA) devices.

The following documentation uses the <code>/dev/sda</code> device as installation destination. If your environment uses a different device name for your storage device, use the corresponding device names in the examples.

= Setting up Alpine Linux Using LVM on Top of a LUKS Partition =

To install Alpine Linux in logical volumes running on top of a LUKS encrypted partition, you cannot use the [[Installation|official installation]] procedure. The installation requires several manual steps you must run in the Alpine Linux Live CD environment.

== Preparing the Temporary Installation Environment ==

Before you begin to install Alpine Linux, prepare the temporary environment:

Boot the latest Alpine Linux Installation CD. At the login prompt, use the <code>root</code> user without a password to log in. Now we will follow the [[Setup-alpine]] script and make our changes along the way.

Run the scripts in this order:

<pre># setup-keymap
# setup-hostname
# setup-interfaces
# rc-service networking start</pre>

If you are configuring static networking (you didn't configure any interfaces to use DHCP), run <code>setup-dns</code>.

If you are using Wi-Fi you may need to do run <code>rc-update add wpa_supplicant boot</code>.

<pre># passwd
# setup-timezone
# rc-update add networking boot
# rc-update add urandom boot
# rc-update add acpid default
# rc-service acpid start</pre>

Edit your {{Path|/etc/hosts}} to look like this, replacing <hostname> with your hostname and <domain> with your TLD (if you don't have a TLD, use 'localdomain':
{{Tip|The default text editor in BusyBox is <code>vi</code> (pronounced ''vee-eye'').}}
{{Cat|/etc/hosts|127.0.0.1 <hostname> <hostname>.<domain> localhost localhost.localdomain
::1 <hostname> <hostname>.<domain> localhost localhost.localdomain}}

{{Note|In order to setup GRUB with UEFI, you are required to use the edge branch with the main and community repository. The reason for this is that <code>efibootmgr</code> is not available in the stable branch. If you do not want to switch completely over to edge you can do something called repository pinning. You will need to do this after the <code>setup-apkrepos</code> step.}}

<pre># setup-apkrepos
# apk update
# setup-sshd
# setup-ntp</pre>

Now we will deviate from the install script.

Install the following packages required to set up LVM and LUKS:

{{Note|The <code>parted</code> partition editor is needed for advanced partitioning and GPT disklabels. BusyBox <code>fdisk</code> is a very stripped-down version with minimal functionality}}

<pre># apk add lvm2 cryptsetup e2fsprogs parted</pre>

Optionally, if you want to overwrite your storage with random data first, install <code>haveged</code>, which is a random number generator based on hardware events and has a higher throughput than <code>/dev/urandom</code>:

<pre># apk add haveged
# rc-service haveged start</pre>

== Creating the Partition Layout ==

Depending on your motherboard and bios features and configuration
we can either use partition table in MBR (legacy BIOS)
or GUID Partition Table (GPT).
Here we will describe those two with example layouts.

=== BIOS/MBR with DOS disklabel ===

We will be partitioning the storage device with a non-encrypted <code>/boot</code> partition for use with the Syslinux bootloader. Syslinux is meant for use with legacy BIOS and the MSDOS MBR partition table. Syslinux does support GPT partition tables but GRUB2 is the better option for UEFI (UEFI is only possible with GPT).

<pre>+---------------------------+------------------------+-----------------------+
| Partition name | Partition purpose | Filesystem type |
+---------------------------+------------------------+-----------------------+
| /dev/sda1 | Boot partition | ext4 |
| /dev/sda2 | LUKS container | LUKS |
| |-> /dev/mapper/lvmcrypt | LVM container | LVM |
| |-> /dev/vg01/root | Root partition | ext4 |
| |-> /dev/vg01/swap | Swap partition | swap |
+---------------------------+------------------------+-----------------------+</pre>

{{Warning|This will delete your previous partitioning table and make your data very hard to recover. If you want to dual boot, stop here and ask an expert.}}

Create an approx. 100MB partition to boot off, then assign the rest of the space to your LUKS partition.

<pre># parted -a optimal
(parted) mklabel msdos
(parted) mkpart primary ext4 0% 100M
(parted) name 1 boot
(parted) set 1 boot on
(parted) mkpart primary ext4 100M 100%
(parted) name 2 crypto-luks</pre>

To view your partition table, type <code>print</code> while still in <code>parted</code>. Your results should look something like this:
<pre>(parted) print
Model: ATA TOSHIBA ******** (scsi)
Disk /dev/sda: 1000GB
Sector size (logical/physical): 512B/4096B
Partition Table: msdos
Disk Flags:

Number Start End Size Type File system Flags
1 1049kB 99.6MB 98.6MB primary ext4 boot
2 99.6MB 1000GB 1000GB primary ext4</pre>

=== UEFI with GPT disklabel ===

We will be encrypting the whole disk but the EFI system partition mounted at <code>/boot/efi</code>. This means that GRUB2 will decrypt the LUKS volume and load the kernel from there, preventing someone with physical access to your computer from maliciously installing a rootkit (or bootkit) in your boot partition while your computer is not already unlocked. The partitioning scheme will look like this:

<pre>+---------------------------+------------------------+-----------------------+
| Partition name | Partition purpose | Filesystem type |
+---------------------------+------------------------+-----------------------+
| /dev/sda1 | EFI system partition | fat32 |
| /dev/sda2 | LUKS container | LUKS |
| |-> /dev/mapper/lvmcrypt | LVM container | LVM |
| |-> /dev/vg01/root | Root partition | ext4 |
| |-> /dev/vg01/boot | Boot partition | ext4 |
| |-> /dev/vg01/swap | Swap partition | swap |
+---------------------------+------------------------+-----------------------+</pre>

{{Warning|This will delete your previous partitioning table and make your data very hard to recover. If you want to dual boot, stop here and ask an expert.}}

Create an approx. 200MB EFI system partition, then assign the rest of the space to your LUKS partition.

<pre># parted -a optimal
(parted) mklabel gpt
(parted) mkpart primary fat32 0% 200M
(parted) name 1 esp
(parted) set 1 esp on
(parted) mkpart primary ext4 200M 100%
(parted) name 2 crypto-luks</pre>

== Optional: Overwrite LUKS Partition with Random Data ==

This should be done if your hard drive wasn't encrypted previously. It helps purge old, non-encrypted data and makes it harder for an attacker to work out how much data you have on your drive if they have access to the encrypted contents.

We will be using <code>haveged</code> as it is considerably faster than <code>/dev/urandom</code> when generating pseudo-random numbers (it's almost as high as <code>/dev/zero</code> in throughput), and is (supposedly) very close to truly random.

<pre># haveged -n 0 | dd of=/dev/sda2</pre>

== Encrypting the LVM Physical Volume Partition ==

To encrypt the partition which will later contain the LVM PV, you could either use the default settings (aes-xts-plain64 cipher with 256-bit key and Argon2 hashing with iter-time 2000ms), or you could use these settings which have added security with the trade-off being a non-noticeable decrease in performance in modern computers:

Default settings:

<pre># cryptsetup luksFormat /dev/sda2</pre>

Optimized for security:

<pre># cryptsetup -v -c serpent-xts-plain64 -s 512 --hash whirlpool --iter-time 5000 --use-random luksFormat /dev/sda2</pre>

If using at least Alpine v3.11 and GRUB2 with encrypted /boot, the following should be used instead (because GRUB2 does not yet support LUKS2 containers):

<pre># cryptsetup luksFormat --type luks1 /dev/sda2</pre>

== Creating the Logical Volumes and File Systems ==

Open the LUKS partition:

<pre># cryptsetup luksOpen /dev/sda2 lvmcrypt</pre>

Create the PV on <code>lvmcrypt</code>:

<pre># pvcreate /dev/mapper/lvmcrypt</pre>

Create the <code>vg0</code> LVM VG in the <code>/dev/mapper/lvmcrypt</code> PV:

<pre># vgcreate vg0 /dev/mapper/lvmcrypt</pre>

=== LV Creation for BIOS/MBR ===

This will create a 2GB swap partition and a root partition which takes up the rest of the space. This setup is for those who do not need to use the hibernate/suspend to disk state. If you do need to suspend to disk, create a swap partition slightly larger than the size of your RAM (change the size after <code># lvcreate -L</code>).

<pre># lvcreate -L 2G vg0 -n swap
# lvcreate -l 100%FREE vg0 -n root</pre>

The LVs created in the previous steps are automatically marked active. To verify, enter:

<pre># lvscan</pre>

=== LV Creation for UEFI/GPT ===

This will create a 2GB swap partition, a 2GB boot partition and a root partition which takes up the rest of the space. This setup is for those who do not need to use the hibernate/suspend to disk state. If you do need to suspend to disk, create a swap partition slightly larger than the size of your RAM (change the size after <code># lvcreate -L</code>).

<pre># lvcreate -L 2G vg0 -n swap
# lvcreate -L 2G vg0 -n boot
# lvcreate -l 100%FREE vg0 -n root</pre>

The LVs created in the previous steps are automatically marked active. To verify, enter:

<pre># lvscan</pre>

== Creating and Mounting the File Systems ==

Format the <code>root</code> and <code>boot</code> LVs using the ext4 file system:

<pre># mkfs.ext4 /dev/vg0/root</pre>

Format the swap LV:

<pre># mkswap /dev/vg0/swap</pre>

Before you can install Alpine Linux, you must mount the partitions and LVs. Mount the root LV to the <code>/mnt/</code> directory:

<pre># mount -t ext4 /dev/vg0/root /mnt/</pre>

Next format your boot partition, create a mount point and mount it:

* If you're using BIOS and MBR:

<pre># mkfs.ext4 /dev/sda1
# mkdir -v /mnt/boot
# mount -t ext4 /dev/sda1 /mnt/boot</pre>

* If you're using UEFI and GPT:

<pre># apk add dosfstools
# mkfs.fat -F32 /dev/sda1
# mkfs.ext4 /dev/vg0/boot
# mkdir -v /mnt/boot
# mount -t ext4 /dev/vg0/boot /mnt/boot
# mkdir -v /mnt/boot/efi
# mount -t vfat /dev/sda1 /mnt/boot/efi</pre>

Lastly, activate your swap partition:

<pre># swapon /dev/vg0/swap</pre>

== Installing Alpine Linux ==

In this step you will install Alpine Linux in the <code>/mnt/</code> directory, which contains the mounted file system structure:

<pre># setup-disk -m sys /mnt/</pre>

The installer downloads the latest packages to install the base installation. Additionally, the installer automatically creates the entries for the mount points in {{Path|/etc/fstab}} file, which is currently mounted in the <code>/mnt/</code> directory.

{{Note|The automatic writing of the master boot record (MBR) fails in this step. You will write the MBR later manually to the disk.}}

The swap LV is not automatically added to the <code>fstab</code> file. To add it manually, add the following line to the {{Path|/mnt/etc/fstab}} file:

<pre>/dev/vg0/swap swap swap defaults 0 0</pre>

Edit the {{Path|/mnt/etc/mkinitfs/mkinitfs.conf}} file and append the <code>cryptsetup</code> module to the <code>features</code> parameter:

<pre>features="... cryptsetup"</pre>

If you are using GRUB with an encrypted <code>/boot</code> you must add the <code>cryptkey</code> feature so that Alpine can use a keyfile for decryption on boot.

{{Note|Alpine Linux uses the <code>en-us</code> keyboard mapping by default when prompting for the password to decrypt the partition at boot time. If you changed the keyboard mapping in the temporary environment and want to use it at the boot password prompt, be sure to also add the <code>keymap</code> feature to the list above.}}

{{Note|Check the output of <code>mkinitfs -L</code> and add the features necessary for your system to boot. You may need to add <code>kms</code> in order to see a password prompt at boot. You may also need: <code>usb</code>, <code>lvm</code>, <code>ext4</code>...}}

Rebuild the initial RAM disk:

<pre># mkinitfs -c /mnt/etc/mkinitfs/mkinitfs.conf -b /mnt/ $(ls /mnt/lib/modules/)</pre>

The command uses the settings from the <code>mkinitfs.conf</code> file set in the <code>-c</code> parameter to generate the RAM disk. The command is executed in the <code>/mnt/</code> directory and the RAM disk is generated using the modules for the installed kernel. Without setting the kernel version using the <code>$(ls /mnt/lib/modules/</code>) option, <code>mkinitfs</code> tries to generate the RAM disk using the kernel version installed in the temporary environment, which can differ from the latest one installed by the <code>setup-disk</code> utility.

== Installing a bootloader ==

To get the UUID of your storage device into a file for later use, use this command:

<pre># blkid -s UUID -o value /dev/sda2 > ~/uuid</pre>

{{Tip|To easily read the UUID into a file so you don't have to type it manually, open the file in <code>vi</code>, then type <code>:r /root/uuid</code> to load the UUID onto a new line.}}

=== Syslinux with BIOS ===

Install the Syslinux package:

<pre># apk add syslinux</pre>

Edit {{Path|/mnt/etc/update-extlinux.conf}} and append the following kernel options to the <code>default_kernel_opts</code> parameter, replacing <UUID> with the UUID of <code>/dev/sda2</code>:

<pre>default_kernel_opts="... cryptroot=UUID=<UUID of sda2> cryptdm=lvmcrypt"</pre>

The <code>cryptroot</code> parameter sets the ID of the device/partition that contains encrypted volumes, and the <code>cryptdm</code> parameter uses the name of the mapping we have already configured a few lines above.

We can also double check if <code>modules</code> and <code>root</code> are set correctly, eg:
<pre>
modules=sd-mod,usb-storage,ext4,cryptsetup,keymap,cryptkey,kms,lvm
root=UUID=<UUID of /dev/mapper/vg0-root>
</pre>

Because the <code>update-extlinux</code> utility operates only on the <code>/boot/</code> directory, temporarily change the root to the <code>/mnt/</code> directory and update the boot loader configuration:

<pre># chroot /mnt/
# update-extlinux
# exit</pre>

: Because we didn't mount <code>/dev</code> nor <code>/proc</code> inside our <code>/mnt/</code> chroot, some errors may occur when we run <code>update-extlinux</code> command. But you can most likely ignore these.

Write the MBR (without partition table) to the <code>/dev/sda</code> device:

<pre># dd bs=440 count=1 conv=notrunc if=/mnt/usr/share/syslinux/mbr.bin of=/dev/sda</pre>

=== Grub with UEFI ===

To avoid having to type your decryption password twice every boot (once for GRUB and once for Alpine), add a keyfile to your LUKS partition. The filename is important.

<pre># dd bs=512 count=4 if=/dev/urandom of=/mnt/crypto_keyfile.bin
# cryptsetup luksAddKey /dev/sda2 /mnt/crypto_keyfile.bin
</pre>

This keyfile is stored encrypted at rest (it is in your LUKS partition), so it's existence does not reduce the security of the system.

Mount the required filesystems for the Grub EFI installer to the installation:

<pre># mount -t proc /proc /mnt/proc
# mount --rbind /dev /mnt/dev
# mount --make-rslave /mnt/dev
# mount --rbind /sys /mnt/sys</pre>

Then chroot in and use <code>grub-install</code> to install Grub.

<pre># chroot /mnt
# source /etc/profile
# export PS1="(chroot) $PS1"</pre>

Install <code>GRUB2</code> for EFI and (optionally) remove syslinux:

<pre># apk add grub grub-efi efibootmgr
# apk del syslinux</pre>

Edit {{Path|/etc/default/grub}} and add the following kernel options to the <code>GRUB_CMDLINE_LINUX_DEFAULT</code> parameter, replacing <UUID> with the UUID of the encrypted partition (in this case, <code>/dev/sda2</code>):

<pre>cryptroot=UUID=<UUID> cryptdm=lvmcrypt cryptkey</pre>

The <code>cryptroot</code> parameter sets the name of the device that contains the root file system. The <code>cryptkey</code> parameter indicates the existence of the file <code>/crypto_keyfile.bin</code> you created previously.

To enable GRUB to decrypt LUKS partitions and read LVM volumes add:

<pre>GRUB_PRELOAD_MODULES="luks cryptodisk part_gpt lvm"</pre>

If using at least Alpine v3.11, <code>GRUB_ENABLE_CRYPTODISK=y</code> should also be added to {{Path|/etc/default/grub}}.

<pre># (chroot) grub-install --target=x86_64-efi --efi-directory=/boot/efi
# (chroot) grub-mkconfig -o /boot/grub/grub.cfg
# (chroot) exit</pre>

== Unmounting the Volumes and Partitions ==

Unmount the <code>/mnt/</code> partitions, deactivate the LVM volumes, close the LUKS partition and reboot:

<pre># cd
# umount -l /mnt/dev
# umount -l /mnt/proc
# umount -l /mnt/sys
# umount /mnt/boot/efi
# umount /mnt/boot
# swapoff /dev/vg0/swap
# umount /mnt
# vgchange -a n
# cryptsetup luksClose lvmcrypt
# reboot</pre>

= Troubleshooting =

== General Procedure ==

In case your system fails to boot, you can verify the settings and fix incorrect configurations.

Reboot and do the steps in [[#Preparing_the_Temporary_Installation_Environment|Prepare the temporary installation environment]] again.

Setup the LUKS partition and activate the LVs:

<pre># cryptsetup luksOpen /dev/sda2
# vgchange -ay</pre>

[[#Creating_and_Mounting_the_File Systems|Mount the file systems]]

Verify that you run the steps described in the [[#Installing_Alpine_Linux|Installing Alpine Linux]] section correctly. Update the configuration if necessary, unmount the partitions, then reboot.

== System can't find boot device ==

This can be because you are using a GPT partition table on a motherboard that runs BIOS instead of UEFI, or you are running an MSDOS/MBR/Syslinux install without enabling legacy boot mode in the UEFI settings.

== Secure boot ==

If secure boot complains of an unsigned bootloader, you can either disable it or adapt [https://wiki.archlinux.org/index.php/Secure_Boot this] guide to sign GRUB. If you're using Syslinux, then secure boot should be automatically disabled when you enable legacy boot mode.

= Hardening =

* To harden, you should disable DMA[https://old.iseclab.org/papers/acsac2012dma.pdf] and install a hardened version of AES (TRESOR[https://www1.informatik.uni-erlangen.de/tresor] or Loop-Amnesia[http://moongate.ydns.eu/amnesia.html]) since by default cryptsetup with luks uses AES by default.
* Disable DMA in the BIOS and set the password for the BIOS according to Wikipedia.[https://en.wikipedia.org/wiki/DMA_attack]
* Blacklist kernel modules that use DMA and any unused expansion modules (FireWire, CardBus, ExpressCard, Thunderbolt, USB 3.0, PCI Express and hotplug modules) that use DMA.

= Mounting additional encrypted filesystems at boot =

If you would like other encrypted LUKS partitions to be decrypted and mounted automatically during boot, for example if you have <code>/home</code> on a separate physical drive, some extra steps are required. For the purposes of these instructions we will say <code>/dev/sdb1</code> contains an LVM volume that should be mounted at <code>/home</code>.

Create a keyfile and add it to the LUKS partition:

<pre># dd bs=512 count=4 if=/dev/urandom of=/root/crypt-home-keyfile.bin
# cryptsetup luksAddKey /dev/sdb1 /root/crypt-home-keyfile.bin
</pre>

Alpine, like Gentoo, uses the <code>dmcrypt</code> service rather than <code>/etc/crypttab</code>. Add the following lines to <code>/etc/conf.d/dmcrypt</code>:

<pre>target=crypt-home
source='/dev/sdb1'
key='/root/crypt-home-keyfile.bin'
</pre>

Add an entry to <code>/etc/fstab</code>, changing <code>vg1</code> to the name of your LVM volume group:

<pre>/dev/vg1/home /home ext4 rw,relatime 0 2</pre>

Enable the dmcrypt and lvm services to start on boot:

<pre># rc-update add dmcrypt boot
# rc-update add lvm boot
</pre>

After a reboot the partition should be decrypted and mounted automatically.

= See also =
*[[Bootloaders]]
*[[Alpine setup scripts]]
*[[Installing on GPT LVM]]
*[[Setting up LVM on GPT-labeled disks]]
*[[Setting up disks manually]]
*https://wiki.gentoo.org/wiki/Syslinux
*https://wiki.gentoo.org/wiki/GRUB2
*https://wiki.archlinux.org/index.php/Syslinux
*https://wiki.archlinux.org/index.php/GRUB
*https://wiki.gentoo.org/wiki/Sakaki's_EFI_Install_Guide
*https://battlepenguin.com/tech/alpine-linux-with-full-disk-encryption/
*https://wiki.gentoo.org/wiki/Dm-crypt

[[Category:Storage]]
[[Category:Security]]

LVM on LUKS

2021-01-15T20:58:19Z

Pawciobiel: Expand note about modules list in mkinitfs.conf

= Introduction =

This documentation describes how to set up Alpine Linux on a fully encrypted disk (apart from the bootloader's partition). We will have an LVM container installed inside an encrypted partition. To encrypt the partition containing the LVM volume group, dm-crypt (which is managed by the <code>cryptsetup</code> command) and its LUKS subsystem is used.

Note that your <code>/boot/</code> partition must be non-encrypted to work with Syslinux. When using GRUB2 it is possible to boot from an encrypted partition to provide a layer of protection from [https://en.wikipedia.org/wiki/Evil_maid_attack Evil Maid attacks], but Syslinux doesn't support this.

== Storage Device Name ==

To find your storage device's name, you could either install <code>util-linux</code> (<code>apk add util-linux</code>) and find your device using the <code>lspci</code> command, or you could make an educated guess by using BusyBox's <code>blkid</code> and <code>df</code> commands, and running <code>ls /dev/sd*</code> if you are installing to a USB, SATA or SCSI device, <code>ls /dev/fd*</code> for floppy disks and <code>ls /dev/hd*</code> for IDE (PATA) devices.

The following documentation uses the <code>/dev/sda</code> device as installation destination. If your environment uses a different device name for your storage device, use the corresponding device names in the examples.

= Setting up Alpine Linux Using LVM on Top of a LUKS Partition =

To install Alpine Linux in logical volumes running on top of a LUKS encrypted partition, you cannot use the [[Installation|official installation]] procedure. The installation requires several manual steps you must run in the Alpine Linux Live CD environment.

== Preparing the Temporary Installation Environment ==

Before you begin to install Alpine Linux, prepare the temporary environment:

Boot the latest Alpine Linux Installation CD. At the login prompt, use the <code>root</code> user without a password to log in. Now we will follow the [[Setup-alpine]] script and make our changes along the way.

Run the scripts in this order:

<pre># setup-keymap
# setup-hostname
# setup-interfaces
# rc-service networking start</pre>

If you are configuring static networking (you didn't configure any interfaces to use DHCP), run <code>setup-dns</code>.

If you are using Wi-Fi you may need to do run <code>rc-update add wpa_supplicant boot</code>.

<pre># passwd
# setup-timezone
# rc-update add networking boot
# rc-update add urandom boot
# rc-update add acpid default
# rc-service acpid start</pre>

Edit your {{Path|/etc/hosts}} to look like this, replacing <hostname> with your hostname and <domain> with your TLD (if you don't have a TLD, use 'localdomain':
{{Tip|The default text editor in BusyBox is <code>vi</code> (pronounced ''vee-eye'').}}
{{Cat|/etc/hosts|127.0.0.1 <hostname> <hostname>.<domain> localhost localhost.localdomain
::1 <hostname> <hostname>.<domain> localhost localhost.localdomain}}

{{Note|In order to setup GRUB with UEFI, you are required to use the edge branch with the main and community repository. The reason for this is that <code>efibootmgr</code> is not available in the stable branch. If you do not want to switch completely over to edge you can do something called repository pinning. You will need to do this after the <code>setup-apkrepos</code> step.}}

<pre># setup-apkrepos
# apk update
# setup-sshd
# setup-ntp</pre>

Now we will deviate from the install script.

Install the following packages required to set up LVM and LUKS:

{{Note|The <code>parted</code> partition editor is needed for advanced partitioning and GPT disklabels. BusyBox <code>fdisk</code> is a very stripped-down version with minimal functionality}}

<pre># apk add lvm2 cryptsetup e2fsprogs parted</pre>

Optionally, if you want to overwrite your storage with random data first, install <code>haveged</code>, which is a random number generator based on hardware events and has a higher throughput than <code>/dev/urandom</code>:

<pre># apk add haveged
# rc-service haveged start</pre>

== Creating the Partition Layout ==

Depending on your motherboard and bios features and configuration
we can either use partition table in MBR (legacy BIOS)
or GUID Partition Table (GPT).
Here we will describe those two with example layouts.

=== BIOS/MBR with DOS disklabel ===

We will be partitioning the storage device with a non-encrypted <code>/boot</code> partition for use with the Syslinux bootloader. Syslinux is meant for use with legacy BIOS and the MSDOS MBR partition table. Syslinux does support GPT partition tables but GRUB2 is the better option for UEFI (UEFI is only possible with GPT).

<pre>+---------------------------+------------------------+-----------------------+
| Partition name | Partition purpose | Filesystem type |
+---------------------------+------------------------+-----------------------+
| /dev/sda1 | Boot partition | ext4 |
| /dev/sda2 | LUKS container | LUKS |
| |-> /dev/mapper/lvmcrypt | LVM container | LVM |
| |-> /dev/vg01/root | Root partition | ext4 |
| |-> /dev/vg01/swap | Swap partition | swap |
+---------------------------+------------------------+-----------------------+</pre>

{{Warning|This will delete your previous partitioning table and make your data very hard to recover. If you want to dual boot, stop here and ask an expert.}}

Create an approx. 100MB partition to boot off, then assign the rest of the space to your LUKS partition.

<pre># parted -a optimal
(parted) mklabel msdos
(parted) mkpart primary ext4 0% 100M
(parted) name 1 boot
(parted) set 1 boot on
(parted) mkpart primary ext4 100M 100%
(parted) name 2 crypto-luks</pre>

To view your partition table, type <code>print</code> while still in <code>parted</code>. Your results should look something like this:
<pre>(parted) print
Model: ATA TOSHIBA ******** (scsi)
Disk /dev/sda: 1000GB
Sector size (logical/physical): 512B/4096B
Partition Table: msdos
Disk Flags:

Number Start End Size Type File system Flags
1 1049kB 99.6MB 98.6MB primary ext4 boot
2 99.6MB 1000GB 1000GB primary ext4</pre>

=== UEFI with GPT disklabel ===

We will be encrypting the whole disk but the EFI system partition mounted at <code>/boot/efi</code>. This means that GRUB2 will decrypt the LUKS volume and load the kernel from there, preventing someone with physical access to your computer from maliciously installing a rootkit (or bootkit) in your boot partition while your computer is not already unlocked. The partitioning scheme will look like this:

<pre>+---------------------------+------------------------+-----------------------+
| Partition name | Partition purpose | Filesystem type |
+---------------------------+------------------------+-----------------------+
| /dev/sda1 | EFI system partition | fat32 |
| /dev/sda2 | LUKS container | LUKS |
| |-> /dev/mapper/lvmcrypt | LVM container | LVM |
| |-> /dev/vg01/root | Root partition | ext4 |
| |-> /dev/vg01/boot | Boot partition | ext4 |
| |-> /dev/vg01/swap | Swap partition | swap |
+---------------------------+------------------------+-----------------------+</pre>

{{Warning|This will delete your previous partitioning table and make your data very hard to recover. If you want to dual boot, stop here and ask an expert.}}

Create an approx. 200MB EFI system partition, then assign the rest of the space to your LUKS partition.

<pre># parted -a optimal
(parted) mklabel gpt
(parted) mkpart primary fat32 0% 200M
(parted) name 1 esp
(parted) set 1 esp on
(parted) mkpart primary ext4 200M 100%
(parted) name 2 crypto-luks</pre>

== Optional: Overwrite LUKS Partition with Random Data ==

This should be done if your hard drive wasn't encrypted previously. It helps purge old, non-encrypted data and makes it harder for an attacker to work out how much data you have on your drive if they have access to the encrypted contents.

We will be using <code>haveged</code> as it is considerably faster than <code>/dev/urandom</code> when generating pseudo-random numbers (it's almost as high as <code>/dev/zero</code> in throughput), and is (supposedly) very close to truly random.

<pre># haveged -n 0 | dd of=/dev/sda2</pre>

== Encrypting the LVM Physical Volume Partition ==

To encrypt the partition which will later contain the LVM PV, you could either use the default settings (aes-xts-plain64 cipher with 256-bit key and Argon2 hashing with iter-time 2000ms), or you could use these settings which have added security with the trade-off being a non-noticeable decrease in performance in modern computers:

Default settings:

<pre># cryptsetup luksFormat /dev/sda2</pre>

Optimized for security:

<pre># cryptsetup -v -c serpent-xts-plain64 -s 512 --hash whirlpool --iter-time 5000 --use-random luksFormat /dev/sda2</pre>

If using at least Alpine v3.11 and GRUB2 with encrypted /boot, the following should be used instead (because GRUB2 does not yet support LUKS2 containers):

<pre># cryptsetup luksFormat --type luks1 /dev/sda2</pre>

== Creating the Logical Volumes and File Systems ==

Open the LUKS partition:

<pre># cryptsetup luksOpen /dev/sda2 lvmcrypt</pre>

Create the PV on <code>lvmcrypt</code>:

<pre># pvcreate /dev/mapper/lvmcrypt</pre>

Create the <code>vg0</code> LVM VG in the <code>/dev/mapper/lvmcrypt</code> PV:

<pre># vgcreate vg0 /dev/mapper/lvmcrypt</pre>

=== LV Creation for BIOS/MBR ===

This will create a 2GB swap partition and a root partition which takes up the rest of the space. This setup is for those who do not need to use the hibernate/suspend to disk state. If you do need to suspend to disk, create a swap partition slightly larger than the size of your RAM (change the size after <code># lvcreate -L</code>).

<pre># lvcreate -L 2G vg0 -n swap
# lvcreate -l 100%FREE vg0 -n root</pre>

The LVs created in the previous steps are automatically marked active. To verify, enter:

<pre># lvscan</pre>

=== LV Creation for UEFI/GPT ===

This will create a 2GB swap partition, a 2GB boot partition and a root partition which takes up the rest of the space. This setup is for those who do not need to use the hibernate/suspend to disk state. If you do need to suspend to disk, create a swap partition slightly larger than the size of your RAM (change the size after <code># lvcreate -L</code>).

<pre># lvcreate -L 2G vg0 -n swap
# lvcreate -L 2G vg0 -n boot
# lvcreate -l 100%FREE vg0 -n root</pre>

The LVs created in the previous steps are automatically marked active. To verify, enter:

<pre># lvscan</pre>

== Creating and Mounting the File Systems ==

Format the <code>root</code> and <code>boot</code> LVs using the ext4 file system:

<pre># mkfs.ext4 /dev/vg0/root</pre>

Format the swap LV:

<pre># mkswap /dev/vg0/swap</pre>

Before you can install Alpine Linux, you must mount the partitions and LVs. Mount the root LV to the <code>/mnt/</code> directory:

<pre># mount -t ext4 /dev/vg0/root /mnt/</pre>

Next format your boot partition, create a mount point and mount it:

* If you're using BIOS and MBR:

<pre># mkfs.ext4 /dev/sda1
# mkdir -v /mnt/boot
# mount -t ext4 /dev/sda1 /mnt/boot</pre>

* If you're using UEFI and GPT:

<pre># apk add dosfstools
# mkfs.fat -F32 /dev/sda1
# mkfs.ext4 /dev/vg0/boot
# mkdir -v /mnt/boot
# mount -t ext4 /dev/vg0/boot /mnt/boot
# mkdir -v /mnt/boot/efi
# mount -t vfat /dev/sda1 /mnt/boot/efi</pre>

Lastly, activate your swap partition:

<pre># swapon /dev/vg0/swap</pre>

== Installing Alpine Linux ==

In this step you will install Alpine Linux in the <code>/mnt/</code> directory, which contains the mounted file system structure:

<pre># setup-disk -m sys /mnt/</pre>

The installer downloads the latest packages to install the base installation. Additionally, the installer automatically creates the entries for the mount points in {{Path|/etc/fstab}} file, which is currently mounted in the <code>/mnt/</code> directory.

{{Note|The automatic writing of the master boot record (MBR) fails in this step. You will write the MBR later manually to the disk.}}

The swap LV is not automatically added to the <code>fstab</code> file. To add it manually, add the following line to the {{Path|/mnt/etc/fstab}} file:

<pre>/dev/vg0/swap swap swap defaults 0 0</pre>

Edit the {{Path|/mnt/etc/mkinitfs/mkinitfs.conf}} file and append the <code>cryptsetup</code> module to the <code>features</code> parameter:

<pre>features="... cryptsetup"</pre>

If you are using GRUB with an encrypted <code>/boot</code> you must add the <code>cryptkey</code> feature so that Alpine can use a keyfile for decryption on boot.

{{Note|Alpine Linux uses the <code>en-us</code> keyboard mapping by default when prompting for the password to decrypt the partition at boot time. If you changed the keyboard mapping in the temporary environment and want to use it at the boot password prompt, be sure to also add the <code>keymap</code> feature to the list above.}}

{{Note|Check the output of <code>mkinitfs -L</code> and add the features necessary for your system to boot. You may need to add <code>kms</code> in order to see a password prompt at boot. You may also need: <code>usb</code>, <code>lvm</code>, <code>ext4</code>...}}

Rebuild the initial RAM disk:

<pre># mkinitfs -c /mnt/etc/mkinitfs/mkinitfs.conf -b /mnt/ $(ls /mnt/lib/modules/)</pre>

The command uses the settings from the <code>mkinitfs.conf</code> file set in the <code>-c</code> parameter to generate the RAM disk. The command is executed in the <code>/mnt/</code> directory and the RAM disk is generated using the modules for the installed kernel. Without setting the kernel version using the <code>$(ls /mnt/lib/modules/</code>) option, <code>mkinitfs</code> tries to generate the RAM disk using the kernel version installed in the temporary environment, which can differ from the latest one installed by the <code>setup-disk</code> utility.

== Installing a bootloader ==

To get the UUID of your storage device into a file for later use, use this command:

<pre># blkid -s UUID -o value /dev/sda2 > ~/uuid</pre>

{{Tip|To easily read the UUID into a file so you don't have to type it manually, open the file in <code>vi</code>, then type <code>:r /root/uuid</code> to load the UUID onto a new line.}}

=== Syslinux with BIOS ===

Install the Syslinux package:

<pre># apk add syslinux</pre>

Edit {{Path|/mnt/etc/update-extlinux.conf}} and append the following kernel options to the <code>default_kernel_opts</code> parameter, replacing <UUID> with the UUID of <code>/dev/sda2</code>:

<pre>default_kernel_opts="... cryptroot=UUID=<UUID> cryptdm=lvmcrypt"</pre>

The <code>cryptroot</code> parameter sets the name of the device that contains the root file system, and the <code>cryptdm</code> parameter sets the name of the mapping previously set in <code>crypttab</code>.

Because the <code>update-extlinux</code> utility operates only on the <code>/boot/</code> directory, temporarily change the root to the <code>/mnt/</code> directory and update the boot loader configuration:

<pre># chroot /mnt/
# update-extlinux
# exit</pre>

: If an error occurs in the <code>update-extlinux</code> command you can most likely ignore it.

Write the MBR to the <code>/dev/sda</code> device:

<pre># dd bs=440 count=1 conv=notrunc if=/mnt/usr/share/syslinux/mbr.bin of=/dev/sda</pre>

=== Grub with UEFI ===

To avoid having to type your decryption password twice every boot (once for GRUB and once for Alpine), add a keyfile to your LUKS partition. The filename is important.

<pre># dd bs=512 count=4 if=/dev/urandom of=/mnt/crypto_keyfile.bin
# cryptsetup luksAddKey /dev/sda2 /mnt/crypto_keyfile.bin
</pre>

This keyfile is stored encrypted at rest (it is in your LUKS partition), so it's existence does not reduce the security of the system.

Mount the required filesystems for the Grub EFI installer to the installation:

<pre># mount -t proc /proc /mnt/proc
# mount --rbind /dev /mnt/dev
# mount --make-rslave /mnt/dev
# mount --rbind /sys /mnt/sys</pre>

Then chroot in and use <code>grub-install</code> to install Grub.

<pre># chroot /mnt
# source /etc/profile
# export PS1="(chroot) $PS1"</pre>

Install <code>GRUB2</code> for EFI and (optionally) remove syslinux:

<pre># apk add grub grub-efi efibootmgr
# apk del syslinux</pre>

Edit {{Path|/etc/default/grub}} and add the following kernel options to the <code>GRUB_CMDLINE_LINUX_DEFAULT</code> parameter, replacing <UUID> with the UUID of the encrypted partition (in this case, <code>/dev/sda2</code>):

<pre>cryptroot=UUID=<UUID> cryptdm=lvmcrypt cryptkey</pre>

The <code>cryptroot</code> parameter sets the name of the device that contains the root file system. The <code>cryptkey</code> parameter indicates the existence of the file <code>/crypto_keyfile.bin</code> you created previously.

To enable GRUB to decrypt LUKS partitions and read LVM volumes add:

<pre>GRUB_PRELOAD_MODULES="luks cryptodisk part_gpt lvm"</pre>

If using at least Alpine v3.11, <code>GRUB_ENABLE_CRYPTODISK=y</code> should also be added to {{Path|/etc/default/grub}}.

<pre># (chroot) grub-install --target=x86_64-efi --efi-directory=/boot/efi
# (chroot) grub-mkconfig -o /boot/grub/grub.cfg
# (chroot) exit</pre>

== Unmounting the Volumes and Partitions ==

Unmount the <code>/mnt/</code> partitions, deactivate the LVM volumes, close the LUKS partition and reboot:

<pre># cd
# umount -l /mnt/dev
# umount -l /mnt/proc
# umount -l /mnt/sys
# umount /mnt/boot/efi
# umount /mnt/boot
# swapoff /dev/vg0/swap
# umount /mnt
# vgchange -a n
# cryptsetup luksClose lvmcrypt
# reboot</pre>

= Troubleshooting =

== General Procedure ==

In case your system fails to boot, you can verify the settings and fix incorrect configurations.

Reboot and do the steps in [[#Preparing_the_Temporary_Installation_Environment|Prepare the temporary installation environment]] again.

Setup the LUKS partition and activate the LVs:

<pre># cryptsetup luksOpen /dev/sda2
# vgchange -ay</pre>

[[#Creating_and_Mounting_the_File Systems|Mount the file systems]]

Verify that you run the steps described in the [[#Installing_Alpine_Linux|Installing Alpine Linux]] section correctly. Update the configuration if necessary, unmount the partitions, then reboot.

== System can't find boot device ==

This can be because you are using a GPT partition table on a motherboard that runs BIOS instead of UEFI, or you are running an MSDOS/MBR/Syslinux install without enabling legacy boot mode in the UEFI settings.

== Secure boot ==

If secure boot complains of an unsigned bootloader, you can either disable it or adapt [https://wiki.archlinux.org/index.php/Secure_Boot this] guide to sign GRUB. If you're using Syslinux, then secure boot should be automatically disabled when you enable legacy boot mode.

= Hardening =

* To harden, you should disable DMA[https://old.iseclab.org/papers/acsac2012dma.pdf] and install a hardened version of AES (TRESOR[https://www1.informatik.uni-erlangen.de/tresor] or Loop-Amnesia[http://moongate.ydns.eu/amnesia.html]) since by default cryptsetup with luks uses AES by default.
* Disable DMA in the BIOS and set the password for the BIOS according to Wikipedia.[https://en.wikipedia.org/wiki/DMA_attack]
* Blacklist kernel modules that use DMA and any unused expansion modules (FireWire, CardBus, ExpressCard, Thunderbolt, USB 3.0, PCI Express and hotplug modules) that use DMA.

= Mounting additional encrypted filesystems at boot =

If you would like other encrypted LUKS partitions to be decrypted and mounted automatically during boot, for example if you have <code>/home</code> on a separate physical drive, some extra steps are required. For the purposes of these instructions we will say <code>/dev/sdb1</code> contains an LVM volume that should be mounted at <code>/home</code>.

Create a keyfile and add it to the LUKS partition:

<pre># dd bs=512 count=4 if=/dev/urandom of=/root/crypt-home-keyfile.bin
# cryptsetup luksAddKey /dev/sdb1 /root/crypt-home-keyfile.bin
</pre>

Alpine, like Gentoo, uses the <code>dmcrypt</code> service rather than <code>/etc/crypttab</code>. Add the following lines to <code>/etc/conf.d/dmcrypt</code>:

<pre>target=crypt-home
source='/dev/sdb1'
key='/root/crypt-home-keyfile.bin'
</pre>

Add an entry to <code>/etc/fstab</code>, changing <code>vg1</code> to the name of your LVM volume group:

<pre>/dev/vg1/home /home ext4 rw,relatime 0 2</pre>

Enable the dmcrypt and lvm services to start on boot:

<pre># rc-update add dmcrypt boot
# rc-update add lvm boot
</pre>

After a reboot the partition should be decrypted and mounted automatically.

= See also =
*[[Bootloaders]]
*[[Alpine setup scripts]]
*[[Installing on GPT LVM]]
*[[Setting up LVM on GPT-labeled disks]]
*[[Setting up disks manually]]
*https://wiki.gentoo.org/wiki/Syslinux
*https://wiki.gentoo.org/wiki/GRUB2
*https://wiki.archlinux.org/index.php/Syslinux
*https://wiki.archlinux.org/index.php/GRUB
*https://wiki.gentoo.org/wiki/Sakaki's_EFI_Install_Guide
*https://battlepenguin.com/tech/alpine-linux-with-full-disk-encryption/
*https://wiki.gentoo.org/wiki/Dm-crypt

[[Category:Storage]]
[[Category:Security]]

LVM on LUKS

2021-01-15T20:46:42Z

Pawciobiel: Add a small info about possible layouts.

= Introduction =

This documentation describes how to set up Alpine Linux on a fully encrypted disk (apart from the bootloader's partition). We will have an LVM container installed inside an encrypted partition. To encrypt the partition containing the LVM volume group, dm-crypt (which is managed by the <code>cryptsetup</code> command) and its LUKS subsystem is used.

Note that your <code>/boot/</code> partition must be non-encrypted to work with Syslinux. When using GRUB2 it is possible to boot from an encrypted partition to provide a layer of protection from [https://en.wikipedia.org/wiki/Evil_maid_attack Evil Maid attacks], but Syslinux doesn't support this.

== Storage Device Name ==

To find your storage device's name, you could either install <code>util-linux</code> (<code>apk add util-linux</code>) and find your device using the <code>lspci</code> command, or you could make an educated guess by using BusyBox's <code>blkid</code> and <code>df</code> commands, and running <code>ls /dev/sd*</code> if you are installing to a USB, SATA or SCSI device, <code>ls /dev/fd*</code> for floppy disks and <code>ls /dev/hd*</code> for IDE (PATA) devices.

The following documentation uses the <code>/dev/sda</code> device as installation destination. If your environment uses a different device name for your storage device, use the corresponding device names in the examples.

= Setting up Alpine Linux Using LVM on Top of a LUKS Partition =

To install Alpine Linux in logical volumes running on top of a LUKS encrypted partition, you cannot use the [[Installation|official installation]] procedure. The installation requires several manual steps you must run in the Alpine Linux Live CD environment.

== Preparing the Temporary Installation Environment ==

Before you begin to install Alpine Linux, prepare the temporary environment:

Boot the latest Alpine Linux Installation CD. At the login prompt, use the <code>root</code> user without a password to log in. Now we will follow the [[Setup-alpine]] script and make our changes along the way.

Run the scripts in this order:

<pre># setup-keymap
# setup-hostname
# setup-interfaces
# rc-service networking start</pre>

If you are configuring static networking (you didn't configure any interfaces to use DHCP), run <code>setup-dns</code>.

If you are using Wi-Fi you may need to do run <code>rc-update add wpa_supplicant boot</code>.

<pre># passwd
# setup-timezone
# rc-update add networking boot
# rc-update add urandom boot
# rc-update add acpid default
# rc-service acpid start</pre>

Edit your {{Path|/etc/hosts}} to look like this, replacing <hostname> with your hostname and <domain> with your TLD (if you don't have a TLD, use 'localdomain':
{{Tip|The default text editor in BusyBox is <code>vi</code> (pronounced ''vee-eye'').}}
{{Cat|/etc/hosts|127.0.0.1 <hostname> <hostname>.<domain> localhost localhost.localdomain
::1 <hostname> <hostname>.<domain> localhost localhost.localdomain}}

{{Note|In order to setup GRUB with UEFI, you are required to use the edge branch with the main and community repository. The reason for this is that <code>efibootmgr</code> is not available in the stable branch. If you do not want to switch completely over to edge you can do something called repository pinning. You will need to do this after the <code>setup-apkrepos</code> step.}}

<pre># setup-apkrepos
# apk update
# setup-sshd
# setup-ntp</pre>

Now we will deviate from the install script.

Install the following packages required to set up LVM and LUKS:

{{Note|The <code>parted</code> partition editor is needed for advanced partitioning and GPT disklabels. BusyBox <code>fdisk</code> is a very stripped-down version with minimal functionality}}

<pre># apk add lvm2 cryptsetup e2fsprogs parted</pre>

Optionally, if you want to overwrite your storage with random data first, install <code>haveged</code>, which is a random number generator based on hardware events and has a higher throughput than <code>/dev/urandom</code>:

<pre># apk add haveged
# rc-service haveged start</pre>

== Creating the Partition Layout ==

Depending on your motherboard and bios features and configuration
we can either use partition table in MBR (legacy BIOS)
or GUID Partition Table (GPT).
Here we will describe those two with example layouts.

=== BIOS/MBR with DOS disklabel ===

We will be partitioning the storage device with a non-encrypted <code>/boot</code> partition for use with the Syslinux bootloader. Syslinux is meant for use with legacy BIOS and the MSDOS MBR partition table. Syslinux does support GPT partition tables but GRUB2 is the better option for UEFI (UEFI is only possible with GPT).

<pre>+---------------------------+------------------------+-----------------------+
| Partition name | Partition purpose | Filesystem type |
+---------------------------+------------------------+-----------------------+
| /dev/sda1 | Boot partition | ext4 |
| /dev/sda2 | LUKS container | LUKS |
| |-> /dev/mapper/lvmcrypt | LVM container | LVM |
| |-> /dev/vg01/root | Root partition | ext4 |
| |-> /dev/vg01/swap | Swap partition | swap |
+---------------------------+------------------------+-----------------------+</pre>

{{Warning|This will delete your previous partitioning table and make your data very hard to recover. If you want to dual boot, stop here and ask an expert.}}

Create an approx. 100MB partition to boot off, then assign the rest of the space to your LUKS partition.

<pre># parted -a optimal
(parted) mklabel msdos
(parted) mkpart primary ext4 0% 100M
(parted) name 1 boot
(parted) set 1 boot on
(parted) mkpart primary ext4 100M 100%
(parted) name 2 crypto-luks</pre>

To view your partition table, type <code>print</code> while still in <code>parted</code>. Your results should look something like this:
<pre>(parted) print
Model: ATA TOSHIBA ******** (scsi)
Disk /dev/sda: 1000GB
Sector size (logical/physical): 512B/4096B
Partition Table: msdos
Disk Flags:

Number Start End Size Type File system Flags
1 1049kB 99.6MB 98.6MB primary ext4 boot
2 99.6MB 1000GB 1000GB primary ext4</pre>

=== UEFI with GPT disklabel ===

We will be encrypting the whole disk but the EFI system partition mounted at <code>/boot/efi</code>. This means that GRUB2 will decrypt the LUKS volume and load the kernel from there, preventing someone with physical access to your computer from maliciously installing a rootkit (or bootkit) in your boot partition while your computer is not already unlocked. The partitioning scheme will look like this:

<pre>+---------------------------+------------------------+-----------------------+
| Partition name | Partition purpose | Filesystem type |
+---------------------------+------------------------+-----------------------+
| /dev/sda1 | EFI system partition | fat32 |
| /dev/sda2 | LUKS container | LUKS |
| |-> /dev/mapper/lvmcrypt | LVM container | LVM |
| |-> /dev/vg01/root | Root partition | ext4 |
| |-> /dev/vg01/boot | Boot partition | ext4 |
| |-> /dev/vg01/swap | Swap partition | swap |
+---------------------------+------------------------+-----------------------+</pre>

{{Warning|This will delete your previous partitioning table and make your data very hard to recover. If you want to dual boot, stop here and ask an expert.}}

Create an approx. 200MB EFI system partition, then assign the rest of the space to your LUKS partition.

<pre># parted -a optimal
(parted) mklabel gpt
(parted) mkpart primary fat32 0% 200M
(parted) name 1 esp
(parted) set 1 esp on
(parted) mkpart primary ext4 200M 100%
(parted) name 2 crypto-luks</pre>

== Optional: Overwrite LUKS Partition with Random Data ==

This should be done if your hard drive wasn't encrypted previously. It helps purge old, non-encrypted data and makes it harder for an attacker to work out how much data you have on your drive if they have access to the encrypted contents.

We will be using <code>haveged</code> as it is considerably faster than <code>/dev/urandom</code> when generating pseudo-random numbers (it's almost as high as <code>/dev/zero</code> in throughput), and is (supposedly) very close to truly random.

<pre># haveged -n 0 | dd of=/dev/sda2</pre>

== Encrypting the LVM Physical Volume Partition ==

To encrypt the partition which will later contain the LVM PV, you could either use the default settings (aes-xts-plain64 cipher with 256-bit key and Argon2 hashing with iter-time 2000ms), or you could use these settings which have added security with the trade-off being a non-noticeable decrease in performance in modern computers:

Default settings:

<pre># cryptsetup luksFormat /dev/sda2</pre>

Optimized for security:

<pre># cryptsetup -v -c serpent-xts-plain64 -s 512 --hash whirlpool --iter-time 5000 --use-random luksFormat /dev/sda2</pre>

If using at least Alpine v3.11 and GRUB2 with encrypted /boot, the following should be used instead (because GRUB2 does not yet support LUKS2 containers):

<pre># cryptsetup luksFormat --type luks1 /dev/sda2</pre>

== Creating the Logical Volumes and File Systems ==

Open the LUKS partition:

<pre># cryptsetup luksOpen /dev/sda2 lvmcrypt</pre>

Create the PV on <code>lvmcrypt</code>:

<pre># pvcreate /dev/mapper/lvmcrypt</pre>

Create the <code>vg0</code> LVM VG in the <code>/dev/mapper/lvmcrypt</code> PV:

<pre># vgcreate vg0 /dev/mapper/lvmcrypt</pre>

=== LV Creation for BIOS/MBR ===

This will create a 2GB swap partition and a root partition which takes up the rest of the space. This setup is for those who do not need to use the hibernate/suspend to disk state. If you do need to suspend to disk, create a swap partition slightly larger than the size of your RAM (change the size after <code># lvcreate -L</code>).

<pre># lvcreate -L 2G vg0 -n swap
# lvcreate -l 100%FREE vg0 -n root</pre>

The LVs created in the previous steps are automatically marked active. To verify, enter:

<pre># lvscan</pre>

=== LV Creation for UEFI/GPT ===

This will create a 2GB swap partition, a 2GB boot partition and a root partition which takes up the rest of the space. This setup is for those who do not need to use the hibernate/suspend to disk state. If you do need to suspend to disk, create a swap partition slightly larger than the size of your RAM (change the size after <code># lvcreate -L</code>).

<pre># lvcreate -L 2G vg0 -n swap
# lvcreate -L 2G vg0 -n boot
# lvcreate -l 100%FREE vg0 -n root</pre>

The LVs created in the previous steps are automatically marked active. To verify, enter:

<pre># lvscan</pre>

== Creating and Mounting the File Systems ==

Format the <code>root</code> and <code>boot</code> LVs using the ext4 file system:

<pre># mkfs.ext4 /dev/vg0/root</pre>

Format the swap LV:

<pre># mkswap /dev/vg0/swap</pre>

Before you can install Alpine Linux, you must mount the partitions and LVs. Mount the root LV to the <code>/mnt/</code> directory:

<pre># mount -t ext4 /dev/vg0/root /mnt/</pre>

Next format your boot partition, create a mount point and mount it:

* If you're using BIOS and MBR:

<pre># mkfs.ext4 /dev/sda1
# mkdir -v /mnt/boot
# mount -t ext4 /dev/sda1 /mnt/boot</pre>

* If you're using UEFI and GPT:

<pre># apk add dosfstools
# mkfs.fat -F32 /dev/sda1
# mkfs.ext4 /dev/vg0/boot
# mkdir -v /mnt/boot
# mount -t ext4 /dev/vg0/boot /mnt/boot
# mkdir -v /mnt/boot/efi
# mount -t vfat /dev/sda1 /mnt/boot/efi</pre>

Lastly, activate your swap partition:

<pre># swapon /dev/vg0/swap</pre>

== Installing Alpine Linux ==

In this step you will install Alpine Linux in the <code>/mnt/</code> directory, which contains the mounted file system structure:

<pre># setup-disk -m sys /mnt/</pre>

The installer downloads the latest packages to install the base installation. Additionally, the installer automatically creates the entries for the mount points in {{Path|/etc/fstab}} file, which is currently mounted in the <code>/mnt/</code> directory.

{{Note|The automatic writing of the master boot record (MBR) fails in this step. You will write the MBR later manually to the disk.}}

The swap LV is not automatically added to the <code>fstab</code> file. To add it manually, add the following line to the {{Path|/mnt/etc/fstab}} file:

<pre>/dev/vg0/swap swap swap defaults 0 0</pre>

Edit the {{Path|/mnt/etc/mkinitfs/mkinitfs.conf}} file and append the <code>cryptsetup</code> module to the <code>features</code> parameter:

<pre>features="... cryptsetup"</pre>

If you are using GRUB with an encrypted <code>/boot</code> you should also add the <code>cryptkey</code> feature so that Alpine can use a keyfile for decryption on boot.

{{Note|Alpine Linux uses the <code>en-us</code> keyboard mapping by default when prompting for the password to decrypt the partition at boot time. If you changed the keyboard mapping in the temporary environment and want to use it at the boot password prompt, be sure to also add the <code>keymap</code> feature to the list above.}}

{{Note|Check the output of <code>mkinitfs -L</code> and add the features necessary for your system to boot. You may need to add <code>kms</code> in order to see a password prompt at boot.}}

Rebuild the initial RAM disk:

<pre># mkinitfs -c /mnt/etc/mkinitfs/mkinitfs.conf -b /mnt/ $(ls /mnt/lib/modules/)</pre>

The command uses the settings from the <code>mkinitfs.conf</code> file set in the <code>-c</code> parameter to generate the RAM disk. The command is executed in the <code>/mnt/</code> directory and the RAM disk is generated using the modules for the installed kernel. Without setting the kernel version using the <code>$(ls /mnt/lib/modules/</code>) option, <code>mkinitfs</code> tries to generate the RAM disk using the kernel version installed in the temporary environment, which can differ from the latest one installed by the <code>setup-disk</code> utility.

== Installing a bootloader ==

To get the UUID of your storage device into a file for later use, use this command:

<pre># blkid -s UUID -o value /dev/sda2 > ~/uuid</pre>

{{Tip|To easily read the UUID into a file so you don't have to type it manually, open the file in <code>vi</code>, then type <code>:r /root/uuid</code> to load the UUID onto a new line.}}

=== Syslinux with BIOS ===

Install the Syslinux package:

<pre># apk add syslinux</pre>

Edit {{Path|/mnt/etc/update-extlinux.conf}} and append the following kernel options to the <code>default_kernel_opts</code> parameter, replacing <UUID> with the UUID of <code>/dev/sda2</code>:

<pre>default_kernel_opts="... cryptroot=UUID=<UUID> cryptdm=lvmcrypt"</pre>

The <code>cryptroot</code> parameter sets the name of the device that contains the root file system, and the <code>cryptdm</code> parameter sets the name of the mapping previously set in <code>crypttab</code>.

Because the <code>update-extlinux</code> utility operates only on the <code>/boot/</code> directory, temporarily change the root to the <code>/mnt/</code> directory and update the boot loader configuration:

<pre># chroot /mnt/
# update-extlinux
# exit</pre>

: If an error occurs in the <code>update-extlinux</code> command you can most likely ignore it.

Write the MBR to the <code>/dev/sda</code> device:

<pre># dd bs=440 count=1 conv=notrunc if=/mnt/usr/share/syslinux/mbr.bin of=/dev/sda</pre>

=== Grub with UEFI ===

To avoid having to type your decryption password twice every boot (once for GRUB and once for Alpine), add a keyfile to your LUKS partition. The filename is important.

<pre># dd bs=512 count=4 if=/dev/urandom of=/mnt/crypto_keyfile.bin
# cryptsetup luksAddKey /dev/sda2 /mnt/crypto_keyfile.bin
</pre>

This keyfile is stored encrypted at rest (it is in your LUKS partition), so it's existence does not reduce the security of the system.

Mount the required filesystems for the Grub EFI installer to the installation:

<pre># mount -t proc /proc /mnt/proc
# mount --rbind /dev /mnt/dev
# mount --make-rslave /mnt/dev
# mount --rbind /sys /mnt/sys</pre>

Then chroot in and use <code>grub-install</code> to install Grub.

<pre># chroot /mnt
# source /etc/profile
# export PS1="(chroot) $PS1"</pre>

Install <code>GRUB2</code> for EFI and (optionally) remove syslinux:

<pre># apk add grub grub-efi efibootmgr
# apk del syslinux</pre>

Edit {{Path|/etc/default/grub}} and add the following kernel options to the <code>GRUB_CMDLINE_LINUX_DEFAULT</code> parameter, replacing <UUID> with the UUID of the encrypted partition (in this case, <code>/dev/sda2</code>):

<pre>cryptroot=UUID=<UUID> cryptdm=lvmcrypt cryptkey</pre>

The <code>cryptroot</code> parameter sets the name of the device that contains the root file system. The <code>cryptkey</code> parameter indicates the existence of the file <code>/crypto_keyfile.bin</code> you created previously.

To enable GRUB to decrypt LUKS partitions and read LVM volumes add:

<pre>GRUB_PRELOAD_MODULES="luks cryptodisk part_gpt lvm"</pre>

If using at least Alpine v3.11, <code>GRUB_ENABLE_CRYPTODISK=y</code> should also be added to {{Path|/etc/default/grub}}.

<pre># (chroot) grub-install --target=x86_64-efi --efi-directory=/boot/efi
# (chroot) grub-mkconfig -o /boot/grub/grub.cfg
# (chroot) exit</pre>

== Unmounting the Volumes and Partitions ==

Unmount the <code>/mnt/</code> partitions, deactivate the LVM volumes, close the LUKS partition and reboot:

<pre># cd
# umount -l /mnt/dev
# umount -l /mnt/proc
# umount -l /mnt/sys
# umount /mnt/boot/efi
# umount /mnt/boot
# swapoff /dev/vg0/swap
# umount /mnt
# vgchange -a n
# cryptsetup luksClose lvmcrypt
# reboot</pre>

= Troubleshooting =

== General Procedure ==

In case your system fails to boot, you can verify the settings and fix incorrect configurations.

Reboot and do the steps in [[#Preparing_the_Temporary_Installation_Environment|Prepare the temporary installation environment]] again.

Setup the LUKS partition and activate the LVs:

<pre># cryptsetup luksOpen /dev/sda2
# vgchange -ay</pre>

[[#Creating_and_Mounting_the_File Systems|Mount the file systems]]

Verify that you run the steps described in the [[#Installing_Alpine_Linux|Installing Alpine Linux]] section correctly. Update the configuration if necessary, unmount the partitions, then reboot.

== System can't find boot device ==

This can be because you are using a GPT partition table on a motherboard that runs BIOS instead of UEFI, or you are running an MSDOS/MBR/Syslinux install without enabling legacy boot mode in the UEFI settings.

== Secure boot ==

If secure boot complains of an unsigned bootloader, you can either disable it or adapt [https://wiki.archlinux.org/index.php/Secure_Boot this] guide to sign GRUB. If you're using Syslinux, then secure boot should be automatically disabled when you enable legacy boot mode.

= Hardening =

* To harden, you should disable DMA[https://old.iseclab.org/papers/acsac2012dma.pdf] and install a hardened version of AES (TRESOR[https://www1.informatik.uni-erlangen.de/tresor] or Loop-Amnesia[http://moongate.ydns.eu/amnesia.html]) since by default cryptsetup with luks uses AES by default.
* Disable DMA in the BIOS and set the password for the BIOS according to Wikipedia.[https://en.wikipedia.org/wiki/DMA_attack]
* Blacklist kernel modules that use DMA and any unused expansion modules (FireWire, CardBus, ExpressCard, Thunderbolt, USB 3.0, PCI Express and hotplug modules) that use DMA.

= Mounting additional encrypted filesystems at boot =

If you would like other encrypted LUKS partitions to be decrypted and mounted automatically during boot, for example if you have <code>/home</code> on a separate physical drive, some extra steps are required. For the purposes of these instructions we will say <code>/dev/sdb1</code> contains an LVM volume that should be mounted at <code>/home</code>.

Create a keyfile and add it to the LUKS partition:

<pre># dd bs=512 count=4 if=/dev/urandom of=/root/crypt-home-keyfile.bin
# cryptsetup luksAddKey /dev/sdb1 /root/crypt-home-keyfile.bin
</pre>

Alpine, like Gentoo, uses the <code>dmcrypt</code> service rather than <code>/etc/crypttab</code>. Add the following lines to <code>/etc/conf.d/dmcrypt</code>:

<pre>target=crypt-home
source='/dev/sdb1'
key='/root/crypt-home-keyfile.bin'
</pre>

Add an entry to <code>/etc/fstab</code>, changing <code>vg1</code> to the name of your LVM volume group:

<pre>/dev/vg1/home /home ext4 rw,relatime 0 2</pre>

Enable the dmcrypt and lvm services to start on boot:

<pre># rc-update add dmcrypt boot
# rc-update add lvm boot
</pre>

After a reboot the partition should be decrypted and mounted automatically.

= See also =
*[[Bootloaders]]
*[[Alpine setup scripts]]
*[[Installing on GPT LVM]]
*[[Setting up LVM on GPT-labeled disks]]
*[[Setting up disks manually]]
*https://wiki.gentoo.org/wiki/Syslinux
*https://wiki.gentoo.org/wiki/GRUB2
*https://wiki.archlinux.org/index.php/Syslinux
*https://wiki.archlinux.org/index.php/GRUB
*https://wiki.gentoo.org/wiki/Sakaki's_EFI_Install_Guide
*https://battlepenguin.com/tech/alpine-linux-with-full-disk-encryption/
*https://wiki.gentoo.org/wiki/Dm-crypt

[[Category:Storage]]
[[Category:Security]]

LVM on LUKS

2021-01-15T20:27:03Z

Pawciobiel: fix typo fro

= Introduction =

This documentation describes how to set up Alpine Linux on a fully encrypted disk (apart from the bootloader's partition). We will have an LVM container installed inside an encrypted partition. To encrypt the partition containing the LVM volume group, dm-crypt (which is managed by the <code>cryptsetup</code> command) and its LUKS subsystem is used.

Note that your <code>/boot/</code> partition must be non-encrypted to work with Syslinux. When using GRUB2 it is possible to boot from an encrypted partition to provide a layer of protection from [https://en.wikipedia.org/wiki/Evil_maid_attack Evil Maid attacks], but Syslinux doesn't support this.

== Storage Device Name ==

To find your storage device's name, you could either install <code>util-linux</code> (<code>apk add util-linux</code>) and find your device using the <code>lspci</code> command, or you could make an educated guess by using BusyBox's <code>blkid</code> and <code>df</code> commands, and running <code>ls /dev/sd*</code> if you are installing to a USB, SATA or SCSI device, <code>ls /dev/fd*</code> for floppy disks and <code>ls /dev/hd*</code> for IDE (PATA) devices.

The following documentation uses the <code>/dev/sda</code> device as installation destination. If your environment uses a different device name for your storage device, use the corresponding device names in the examples.

= Setting up Alpine Linux Using LVM on Top of a LUKS Partition =

To install Alpine Linux in logical volumes running on top of a LUKS encrypted partition, you cannot use the [[Installation|official installation]] procedure. The installation requires several manual steps you must run in the Alpine Linux Live CD environment.

== Preparing the Temporary Installation Environment ==

Before you begin to install Alpine Linux, prepare the temporary environment:

Boot the latest Alpine Linux Installation CD. At the login prompt, use the <code>root</code> user without a password to log in. Now we will follow the [[Setup-alpine]] script and make our changes along the way.

Run the scripts in this order:

<pre># setup-keymap
# setup-hostname
# setup-interfaces
# rc-service networking start</pre>

If you are configuring static networking (you didn't configure any interfaces to use DHCP), run <code>setup-dns</code>.

If you are using Wi-Fi you may need to do run <code>rc-update add wpa_supplicant boot</code>.

<pre># passwd
# setup-timezone
# rc-update add networking boot
# rc-update add urandom boot
# rc-update add acpid default
# rc-service acpid start</pre>

Edit your {{Path|/etc/hosts}} to look like this, replacing <hostname> with your hostname and <domain> with your TLD (if you don't have a TLD, use 'localdomain':
{{Tip|The default text editor in BusyBox is <code>vi</code> (pronounced ''vee-eye'').}}
{{Cat|/etc/hosts|127.0.0.1 <hostname> <hostname>.<domain> localhost localhost.localdomain
::1 <hostname> <hostname>.<domain> localhost localhost.localdomain}}

{{Note|In order to setup GRUB with UEFI, you are required to use the edge branch with the main and community repository. The reason for this is that <code>efibootmgr</code> is not available in the stable branch. If you do not want to switch completely over to edge you can do something called repository pinning. You will need to do this after the <code>setup-apkrepos</code> step.}}

<pre># setup-apkrepos
# apk update
# setup-sshd
# setup-ntp</pre>

Now we will deviate from the install script.

Install the following packages required to set up LVM and LUKS:

{{Note|The <code>parted</code> partition editor is needed for advanced partitioning and GPT disklabels. BusyBox <code>fdisk</code> is a very stripped-down version with minimal functionality}}

<pre># apk add lvm2 cryptsetup e2fsprogs parted</pre>

Optionally, if you want to overwrite your storage with random data first, install <code>haveged</code>, which is a random number generator based on hardware events and has a higher throughput than <code>/dev/urandom</code>:

<pre># apk add haveged
# rc-service haveged start</pre>

== Creating the Partition Layout ==

=== BIOS/MBR with DOS disklabel ===

We will be partitioning the storage device with a non-encrypted <code>/boot</code> partition for use with the Syslinux bootloader. Syslinux is meant for use with legacy BIOS and the MSDOS MBR partition table. Syslinux does support GPT partition tables but GRUB2 is the better option for UEFI.

<pre>+---------------------------+------------------------+-----------------------+
| Partition name | Partition purpose | Filesystem type |
+---------------------------+------------------------+-----------------------+
| /dev/sda1 | Boot partition | ext4 |
| /dev/sda2 | LUKS container | LUKS |
| |-> /dev/mapper/lvmcrypt | LVM container | LVM |
| |-> /dev/vg01/root | Root partition | ext4 |
| |-> /dev/vg01/swap | Swap partition | swap |
+---------------------------+------------------------+-----------------------+</pre>

{{Warning|This will delete your previous partitioning table and make your data very hard to recover. If you want to dual boot, stop here and ask an expert.}}

Create an approx. 100MB partition to boot off, then assign the rest of the space to your LUKS partition.

<pre># parted -a optimal
(parted) mklabel msdos
(parted) mkpart primary ext4 0% 100M
(parted) name 1 boot
(parted) set 1 boot on
(parted) mkpart primary ext4 100M 100%
(parted) name 2 crypto-luks</pre>

To view your partition table, type <code>print</code> while still in <code>parted</code>. Your results should look something like this:
<pre>(parted) print
Model: ATA TOSHIBA ******** (scsi)
Disk /dev/sda: 1000GB
Sector size (logical/physical): 512B/4096B
Partition Table: msdos
Disk Flags:

Number Start End Size Type File system Flags
1 1049kB 99.6MB 98.6MB primary ext4 boot
2 99.6MB 1000GB 1000GB primary ext4</pre>

=== UEFI with GPT disklabel ===

We will be encrypting the whole disk but the EFI system partition mounted at <code>/boot/efi</code>. This means that GRUB2 will decrypt the LUKS volume and load the kernel from there, preventing someone with physical access to your computer from maliciously installing a rootkit (or bootkit) in your boot partition while your computer is not already unlocked. The partitioning scheme will look like this:

<pre>+---------------------------+------------------------+-----------------------+
| Partition name | Partition purpose | Filesystem type |
+---------------------------+------------------------+-----------------------+
| /dev/sda1 | EFI system partition | fat32 |
| /dev/sda2 | LUKS container | LUKS |
| |-> /dev/mapper/lvmcrypt | LVM container | LVM |
| |-> /dev/vg01/root | Root partition | ext4 |
| |-> /dev/vg01/boot | Boot partition | ext4 |
| |-> /dev/vg01/swap | Swap partition | swap |
+---------------------------+------------------------+-----------------------+</pre>

{{Warning|This will delete your previous partitioning table and make your data very hard to recover. If you want to dual boot, stop here and ask an expert.}}

Create an approx. 200MB EFI system partition, then assign the rest of the space to your LUKS partition.

<pre># parted -a optimal
(parted) mklabel gpt
(parted) mkpart primary fat32 0% 200M
(parted) name 1 esp
(parted) set 1 esp on
(parted) mkpart primary ext4 200M 100%
(parted) name 2 crypto-luks</pre>

== Optional: Overwrite LUKS Partition with Random Data ==

This should be done if your hard drive wasn't encrypted previously. It helps purge old, non-encrypted data and makes it harder for an attacker to work out how much data you have on your drive if they have access to the encrypted contents.

We will be using <code>haveged</code> as it is considerably faster than <code>/dev/urandom</code> when generating pseudo-random numbers (it's almost as high as <code>/dev/zero</code> in throughput), and is (supposedly) very close to truly random.

<pre># haveged -n 0 | dd of=/dev/sda2</pre>

== Encrypting the LVM Physical Volume Partition ==

To encrypt the partition which will later contain the LVM PV, you could either use the default settings (aes-xts-plain64 cipher with 256-bit key and Argon2 hashing with iter-time 2000ms), or you could use these settings which have added security with the trade-off being a non-noticeable decrease in performance in modern computers:

Default settings:

<pre># cryptsetup luksFormat /dev/sda2</pre>

Optimized for security:

<pre># cryptsetup -v -c serpent-xts-plain64 -s 512 --hash whirlpool --iter-time 5000 --use-random luksFormat /dev/sda2</pre>

If using at least Alpine v3.11 and GRUB2 with encrypted /boot, the following should be used instead (because GRUB2 does not yet support LUKS2 containers):

<pre># cryptsetup luksFormat --type luks1 /dev/sda2</pre>

== Creating the Logical Volumes and File Systems ==

Open the LUKS partition:

<pre># cryptsetup luksOpen /dev/sda2 lvmcrypt</pre>

Create the PV on <code>lvmcrypt</code>:

<pre># pvcreate /dev/mapper/lvmcrypt</pre>

Create the <code>vg0</code> LVM VG in the <code>/dev/mapper/lvmcrypt</code> PV:

<pre># vgcreate vg0 /dev/mapper/lvmcrypt</pre>

=== LV Creation for BIOS/MBR ===

This will create a 2GB swap partition and a root partition which takes up the rest of the space. This setup is for those who do not need to use the hibernate/suspend to disk state. If you do need to suspend to disk, create a swap partition slightly larger than the size of your RAM (change the size after <code># lvcreate -L</code>).

<pre># lvcreate -L 2G vg0 -n swap
# lvcreate -l 100%FREE vg0 -n root</pre>

The LVs created in the previous steps are automatically marked active. To verify, enter:

<pre># lvscan</pre>

=== LV Creation for UEFI/GPT ===

This will create a 2GB swap partition, a 2GB boot partition and a root partition which takes up the rest of the space. This setup is for those who do not need to use the hibernate/suspend to disk state. If you do need to suspend to disk, create a swap partition slightly larger than the size of your RAM (change the size after <code># lvcreate -L</code>).

<pre># lvcreate -L 2G vg0 -n swap
# lvcreate -L 2G vg0 -n boot
# lvcreate -l 100%FREE vg0 -n root</pre>

The LVs created in the previous steps are automatically marked active. To verify, enter:

<pre># lvscan</pre>

== Creating and Mounting the File Systems ==

Format the <code>root</code> and <code>boot</code> LVs using the ext4 file system:

<pre># mkfs.ext4 /dev/vg0/root</pre>

Format the swap LV:

<pre># mkswap /dev/vg0/swap</pre>

Before you can install Alpine Linux, you must mount the partitions and LVs. Mount the root LV to the <code>/mnt/</code> directory:

<pre># mount -t ext4 /dev/vg0/root /mnt/</pre>

Next format your boot partition, create a mount point and mount it:

* If you're using BIOS and MBR:

<pre># mkfs.ext4 /dev/sda1
# mkdir -v /mnt/boot
# mount -t ext4 /dev/sda1 /mnt/boot</pre>

* If you're using UEFI and GPT:

<pre># apk add dosfstools
# mkfs.fat -F32 /dev/sda1
# mkfs.ext4 /dev/vg0/boot
# mkdir -v /mnt/boot
# mount -t ext4 /dev/vg0/boot /mnt/boot
# mkdir -v /mnt/boot/efi
# mount -t vfat /dev/sda1 /mnt/boot/efi</pre>

Lastly, activate your swap partition:

<pre># swapon /dev/vg0/swap</pre>

== Installing Alpine Linux ==

In this step you will install Alpine Linux in the <code>/mnt/</code> directory, which contains the mounted file system structure:

<pre># setup-disk -m sys /mnt/</pre>

The installer downloads the latest packages to install the base installation. Additionally, the installer automatically creates the entries for the mount points in {{Path|/etc/fstab}} file, which is currently mounted in the <code>/mnt/</code> directory.

{{Note|The automatic writing of the master boot record (MBR) fails in this step. You will write the MBR later manually to the disk.}}

The swap LV is not automatically added to the <code>fstab</code> file. To add it manually, add the following line to the {{Path|/mnt/etc/fstab}} file:

<pre>/dev/vg0/swap swap swap defaults 0 0</pre>

Edit the {{Path|/mnt/etc/mkinitfs/mkinitfs.conf}} file and append the <code>cryptsetup</code> module to the <code>features</code> parameter:

<pre>features="... cryptsetup"</pre>

If you are using GRUB with an encrypted <code>/boot</code> you should also add the <code>cryptkey</code> feature so that Alpine can use a keyfile for decryption on boot.

{{Note|Alpine Linux uses the <code>en-us</code> keyboard mapping by default when prompting for the password to decrypt the partition at boot time. If you changed the keyboard mapping in the temporary environment and want to use it at the boot password prompt, be sure to also add the <code>keymap</code> feature to the list above.}}

{{Note|Check the output of <code>mkinitfs -L</code> and add the features necessary for your system to boot. You may need to add <code>kms</code> in order to see a password prompt at boot.}}

Rebuild the initial RAM disk:

<pre># mkinitfs -c /mnt/etc/mkinitfs/mkinitfs.conf -b /mnt/ $(ls /mnt/lib/modules/)</pre>

The command uses the settings from the <code>mkinitfs.conf</code> file set in the <code>-c</code> parameter to generate the RAM disk. The command is executed in the <code>/mnt/</code> directory and the RAM disk is generated using the modules for the installed kernel. Without setting the kernel version using the <code>$(ls /mnt/lib/modules/</code>) option, <code>mkinitfs</code> tries to generate the RAM disk using the kernel version installed in the temporary environment, which can differ from the latest one installed by the <code>setup-disk</code> utility.

== Installing a bootloader ==

To get the UUID of your storage device into a file for later use, use this command:

<pre># blkid -s UUID -o value /dev/sda2 > ~/uuid</pre>

{{Tip|To easily read the UUID into a file so you don't have to type it manually, open the file in <code>vi</code>, then type <code>:r /root/uuid</code> to load the UUID onto a new line.}}

=== Syslinux with BIOS ===

Install the Syslinux package:

<pre># apk add syslinux</pre>

Edit {{Path|/mnt/etc/update-extlinux.conf}} and append the following kernel options to the <code>default_kernel_opts</code> parameter, replacing <UUID> with the UUID of <code>/dev/sda2</code>:

<pre>default_kernel_opts="... cryptroot=UUID=<UUID> cryptdm=lvmcrypt"</pre>

The <code>cryptroot</code> parameter sets the name of the device that contains the root file system, and the <code>cryptdm</code> parameter sets the name of the mapping previously set in <code>crypttab</code>.

Because the <code>update-extlinux</code> utility operates only on the <code>/boot/</code> directory, temporarily change the root to the <code>/mnt/</code> directory and update the boot loader configuration:

<pre># chroot /mnt/
# update-extlinux
# exit</pre>

: If an error occurs in the <code>update-extlinux</code> command you can most likely ignore it.

Write the MBR to the <code>/dev/sda</code> device:

<pre># dd bs=440 count=1 conv=notrunc if=/mnt/usr/share/syslinux/mbr.bin of=/dev/sda</pre>

=== Grub with UEFI ===

To avoid having to type your decryption password twice every boot (once for GRUB and once for Alpine), add a keyfile to your LUKS partition. The filename is important.

<pre># dd bs=512 count=4 if=/dev/urandom of=/mnt/crypto_keyfile.bin
# cryptsetup luksAddKey /dev/sda2 /mnt/crypto_keyfile.bin
</pre>

This keyfile is stored encrypted at rest (it is in your LUKS partition), so it's existence does not reduce the security of the system.

Mount the required filesystems for the Grub EFI installer to the installation:

<pre># mount -t proc /proc /mnt/proc
# mount --rbind /dev /mnt/dev
# mount --make-rslave /mnt/dev
# mount --rbind /sys /mnt/sys</pre>

Then chroot in and use <code>grub-install</code> to install Grub.

<pre># chroot /mnt
# source /etc/profile
# export PS1="(chroot) $PS1"</pre>

Install <code>GRUB2</code> for EFI and (optionally) remove syslinux:

<pre># apk add grub grub-efi efibootmgr
# apk del syslinux</pre>

Edit {{Path|/etc/default/grub}} and add the following kernel options to the <code>GRUB_CMDLINE_LINUX_DEFAULT</code> parameter, replacing <UUID> with the UUID of the encrypted partition (in this case, <code>/dev/sda2</code>):

<pre>cryptroot=UUID=<UUID> cryptdm=lvmcrypt cryptkey</pre>

The <code>cryptroot</code> parameter sets the name of the device that contains the root file system. The <code>cryptkey</code> parameter indicates the existence of the file <code>/crypto_keyfile.bin</code> you created previously.

To enable GRUB to decrypt LUKS partitions and read LVM volumes add:

<pre>GRUB_PRELOAD_MODULES="luks cryptodisk part_gpt lvm"</pre>

If using at least Alpine v3.11, <code>GRUB_ENABLE_CRYPTODISK=y</code> should also be added to {{Path|/etc/default/grub}}.

<pre># (chroot) grub-install --target=x86_64-efi --efi-directory=/boot/efi
# (chroot) grub-mkconfig -o /boot/grub/grub.cfg
# (chroot) exit</pre>

== Unmounting the Volumes and Partitions ==

Unmount the <code>/mnt/</code> partitions, deactivate the LVM volumes, close the LUKS partition and reboot:

<pre># cd
# umount -l /mnt/dev
# umount -l /mnt/proc
# umount -l /mnt/sys
# umount /mnt/boot/efi
# umount /mnt/boot
# swapoff /dev/vg0/swap
# umount /mnt
# vgchange -a n
# cryptsetup luksClose lvmcrypt
# reboot</pre>

= Troubleshooting =

== General Procedure ==

In case your system fails to boot, you can verify the settings and fix incorrect configurations.

Reboot and do the steps in [[#Preparing_the_Temporary_Installation_Environment|Prepare the temporary installation environment]] again.

Setup the LUKS partition and activate the LVs:

<pre># cryptsetup luksOpen /dev/sda2
# vgchange -ay</pre>

[[#Creating_and_Mounting_the_File Systems|Mount the file systems]]

Verify that you run the steps described in the [[#Installing_Alpine_Linux|Installing Alpine Linux]] section correctly. Update the configuration if necessary, unmount the partitions, then reboot.

== System can't find boot device ==

This can be because you are using a GPT partition table on a motherboard that runs BIOS instead of UEFI, or you are running an MSDOS/MBR/Syslinux install without enabling legacy boot mode in the UEFI settings.

== Secure boot ==

If secure boot complains of an unsigned bootloader, you can either disable it or adapt [https://wiki.archlinux.org/index.php/Secure_Boot this] guide to sign GRUB. If you're using Syslinux, then secure boot should be automatically disabled when you enable legacy boot mode.

= Hardening =

* To harden, you should disable DMA[https://old.iseclab.org/papers/acsac2012dma.pdf] and install a hardened version of AES (TRESOR[https://www1.informatik.uni-erlangen.de/tresor] or Loop-Amnesia[http://moongate.ydns.eu/amnesia.html]) since by default cryptsetup with luks uses AES by default.
* Disable DMA in the BIOS and set the password for the BIOS according to Wikipedia.[https://en.wikipedia.org/wiki/DMA_attack]
* Blacklist kernel modules that use DMA and any unused expansion modules (FireWire, CardBus, ExpressCard, Thunderbolt, USB 3.0, PCI Express and hotplug modules) that use DMA.

= Mounting additional encrypted filesystems at boot =

If you would like other encrypted LUKS partitions to be decrypted and mounted automatically during boot, for example if you have <code>/home</code> on a separate physical drive, some extra steps are required. For the purposes of these instructions we will say <code>/dev/sdb1</code> contains an LVM volume that should be mounted at <code>/home</code>.

Create a keyfile and add it to the LUKS partition:

<pre># dd bs=512 count=4 if=/dev/urandom of=/root/crypt-home-keyfile.bin
# cryptsetup luksAddKey /dev/sdb1 /root/crypt-home-keyfile.bin
</pre>

Alpine, like Gentoo, uses the <code>dmcrypt</code> service rather than <code>/etc/crypttab</code>. Add the following lines to <code>/etc/conf.d/dmcrypt</code>:

<pre>target=crypt-home
source='/dev/sdb1'
key='/root/crypt-home-keyfile.bin'
</pre>

Add an entry to <code>/etc/fstab</code>, changing <code>vg1</code> to the name of your LVM volume group:

<pre>/dev/vg1/home /home ext4 rw,relatime 0 2</pre>

Enable the dmcrypt and lvm services to start on boot:

<pre># rc-update add dmcrypt boot
# rc-update add lvm boot
</pre>

After a reboot the partition should be decrypted and mounted automatically.

= See also =
*[[Bootloaders]]
*[[Alpine setup scripts]]
*[[Installing on GPT LVM]]
*[[Setting up LVM on GPT-labeled disks]]
*[[Setting up disks manually]]
*https://wiki.gentoo.org/wiki/Syslinux
*https://wiki.gentoo.org/wiki/GRUB2
*https://wiki.archlinux.org/index.php/Syslinux
*https://wiki.archlinux.org/index.php/GRUB
*https://wiki.gentoo.org/wiki/Sakaki's_EFI_Install_Guide
*https://battlepenguin.com/tech/alpine-linux-with-full-disk-encryption/
*https://wiki.gentoo.org/wiki/Dm-crypt

[[Category:Storage]]
[[Category:Security]]